[Top] [All Lists]

Re: [spf-discuss] TENBOX/E as an AUTH type

2007-04-06 09:21:15
On Friday 06 April 2007 12:07, Stuart D. Gathman wrote:
On Fri, 6 Apr 2007, Scott Kitterman wrote:
The identities associated with SPF (and even SID to a degree) and DK/DKIM
can be validated out of band (in DNS).

Submitter was just a hack to get you to go to DATA.  Note that Submitter
was also the SID solution to the forwarding problem.  How would a TENBOX
identity (regardless of if it's an AUTH parameter or an ESMTP keyword) be

Because it can be validated out of band via SPF by comparing the connect
IP to the SPF record for the alleged domain in AUTH=.  Without AUTH=,
you have to consult a list of possible forwarders, validating each one
(or compiling to IP sets with TTL).  AUTH= just saves time by telling
you which forwarder domain to validate.  Note that you would *still*
check that the domain is in the list of authorized forwarders.

This of this application of AUTH= as providing the real MAIL FROM
to validate instead of the forged MAIL FROM.  This is similar
to SRS, except that bounces go to the original sender instead of
the forwarder.

But then it still comes down to reputation.  Unless I have a whitelist of 
forwarders that I trust, it could be any random forger using this protocol.  
While I can see that this might save overhead for the receiver (it's a 
smaller lookup list), I don't see how it fundamentally changes anything?

I don't think receiver table lookup efficiency is enough to drive a new 
protocol deployment.

Scott K

Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
please go to http://v2.listbox.com/member/?list_id=735