--On Samstag, Juli 29, 2006 18:42:16 +1200 Mark Wolk <wmark(_at_)markwolk(_dot_)com>
wrote:
[...]
But what baffles me is that, when sending messages that way, I
seemingly bypass all the world's SPF filters. I have sent a test
message using as "From" address a domain that has the SPF string
"v=spf1 -all" (meaning that no mail should ever be sent from that
domain). Well, my mail arrived perfectly in Hotmail's inbox, but also
in other mail services inboxes, and (when available in the headers) it
had SPF_PASS.
The other headers were:
Return-Path: <my_id(_at_)msn(_dot_)com>
^^^^^^^^^^^^^
This is the identity checked by SPF and where DSN will be sent to.
X-Originating-Email: [my_id(_at_)msn(_dot_)com]
X-Sender: my_id(_at_)msn(_dot_)com
From: "Mark Wolk" <info(_at_)my_domain(_dot_)com>
^^^^^^^^^^^^^^^^^^
This is the identity commly displayed to the redaer and where normal
replies (i.e. not DSNs) are sent to.
and when the receiver replies to that mail, his / her reply is
properly addressed to info(_at_)my_domain(_dot_)com (and not to
my_id(_at_)msn(_dot_)com)
The system is working exactly as designed. The envelope sender address is
checked and thus protected from abuse while the content of the message
(including any headers) ist ignored by SPF. SPF works only on the transport
level (RFC 2821), not on the message level (RFC 2822).
Ralf Döblitz
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com