On Tue, 5 Dec 2006, David MacQuigg wrote:
The problem as I see it is that SPF is not applicable in situations where
the Return Address is legitimately unrelated to the Transmitter's IP
Address, and senders must use the Return Address because their stupid email
programs don't make a distinction between the Reply Address and the Return
Address.
You are perhaps thinking of roaming users?
Box67.com is a recipient's forwarding service. It sends no mail at
all. Our clients have public addresses like tdonovan(_at_)box67(_dot_)com,
(Go for
it, you spam harvesters!!) Whatever mail comes to that address is
authenticated, rated, tagged and forwarded to the recipient's private
address at their *existing* email service. The public address must appear
in either the Reply-To: header, or the envelope Return Address. Email
programs like Eudora do not allow setting a Reply-To: address.
box67.com *does* send mail. It sends all the mail you are forwarding.
You need to use SRS so that the final recipient can check SPF - *and*
so that their *private* address (your words) doesn't leak in case of
delivery error.
As I understand it, the Reply-To address was introduced only recently, and
that is why everyone uses the Return Address for this function. Also, the
relationship between the Reply-To Address and the Return Address is not
well defined. We could insist that our clients use the Reply-To address,
and leave their Return Address as is, but I fear it will be a long time
before we see this flexibility universally available in all email programs.
You are thinking of the Sender address. Reply-To has been there since rfc822.
Back to the roaming user. They need to do one of two things:
1) (Preferred) Submit mail to their home server on port 587 using SMTP AUTH.
This requires configuring the mail client, and works well with carrying
a laptop or email capable PDA. SSH, VPN, and webmail are other solutions
for submitting through the home system.
2) (The case you are thinking of.) Being forced to use someone elses
email client, they need to set the Sender to the someone else whose
domain they are sending from.
2a) But the email client they are forced to use doesn't support Sender!
So they set From to the someone else, and set Reply-To to their
own domain.
2b) But the email client they are forced to use copies Reply-To to the
return-path instead of From. So they turn it around and put
someone elses domain in Reply-To and their own domain in From.
2c) ... At some point you just have to realize that Someone Else doesn't
have a functioning email client. If you are a geek, you can always
use telnet (I've resorted to that on many occasions - fortunately
Windoze still includes telnet).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735