George Hitz wrote:
The source I found most helpful was wiki e-mail. In particular
the numbered flow diagram. If that flow could be modified with
numbered additions that showed how the SPF TXT was read and used,
it would help me immensely.
Are you talking about the PNG "How e-mail works" with 5 steps
from Alice to Bob ? That's the most simple case, only one hop:
1 - Alice submits her mail at the "MSA" (message submission agent)
of a.org. The "MSA" (not shown) somehow forwards it to their
outbound server smtp.a.org
SPF is normally not used at that stage, a.org is supposed to know
that alice(_at_)a(_dot_)org is one of their customers. For details see also
RFC 4409. If there's a separate hop from the MSA to smtp.a.org
SPF is also normally not used, smtp.a.org knows its own MSA.
2 - smtp.a.org figures out who might accept mail to bob(_at_)b(_dot_)org, it
uses a DNS query=mx b.org for this purpose. All details like
several MXs with different priorities omitted, SPF is not used
in this step.
3 - smtp.a.org (as client) starts an SMTP session with mx.b.org
(as server). That's where SPF is normally used: mx.b.org
can check the SPF policy of HELO smtp.a.org (sent by client).
Assuming that mx.b.org accepted the HELO smtp.a.org from the
IP used by smtp.a.org it will get some mails, one of these
mails claims to be MAIL FROM:<alice(_at_)a(_dot_)org>. Therefore the MX
checks the SPF policy of a.org, it should permit the sending
IP, or at least the result must not be FAIL.
For that mx.b.org (as client) uses DNS to query a name server
responsible for smtp.a.org and a.org resp. It asks for the
TXT and SPF records for these domains. If all goes well the
reply includes one record starting with "v=spf1 ", that's it.
4 - mx.b.org accepted the MAIL FROM alice RCPT TO bob, it then
forwards it to an "MDA" (message delivery agent, not shown).
The "MDA" adds the mail to Bob's mailbox (in the example it's
a POP3 mailbox, but it could be also IMAP etc.).
5 - Bob polls his POP3 server finding Alice's mail. SPF must not
be used after step 3, for obvious reasons the a.org policies
won't permit IPs of b.org (like the IP of mx.b.org).
In theory the "MDA" or even Bob's MUA (mail user agent) can also
check SPF, if they get that right looking at the Received: line
added by mx.b.org. But in practice it's too late to reject any
forged mail after step 3, Bob or his ISP could only "tag" it,
putting it into a junk folder for manual deletion. That's the
most dangerous scenario wrt to bogus FAIL results (if something
in Bob's setup from step 3 to 5 is horribly wrong).
Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735