[Top] [All Lists]

Re: [spf-discuss] Re: advice wrong, or is it?

2007-12-21 13:51:27
WebMaster(_at_)Commerco(_dot_)Net wrote:
At 01:00 PM 12/21/2007, you wrote:

David Woodhouse wrote:
On Fri, 2007-12-21 at 14:15 +0000, Julian Mehnle wrote:
What you don't seem to get is that SPF is an opt-in system.  If YOU
want YOUR mail to be subject to that clear redefinition, don't
publish an
SPF record for YOUR domain.  It's that simple.

And if you DO want your mail to be subject to that redefinition, don't
send it by SMTP to mail hosts which are only going to behave like they
have for more than the last two decades, and violate your bogus

Forwarding my e-mail without my permission or accounting for my SPF
record to a strict SPF checking host will result in a delivery failure.
Congratulations, you just denied yourself my e-mail.

Yay you.

Now I am confused (not all that unusual).

If I forward an email from you (with or without your permission) while
claiming to be me and passing that email through my strict SPF host, I
can do that just fine... I think, mostly because I'm not claiming to be
you, but rather forwarding along a message from you (in the DATA section
of the SMTP dialogue) with my information in the header (MAIL FROM

Now if someone is forwarding my email, claiming to be me, I don't care
for that behavior, thus I have an SPF record in an effort to prevent
that.  Where am I going wrong?

You have a point, permission is irrelevant.

If you send e-mail from your system with a MAIL FROM claiming to be me,
however it got that way, and your system isn't included in my SPF
record, AND you are sending it to a system that rejects mail based on
SPF failures it will not arrive at the addressee.

Since old-style forwarding systems do not change the MAIL FROM to
reflect their inclusion in the mail path that is one way a system could
be sending mail claiming to be "MAIL FROM" me, which is one leg of the
above chain of events. Note that this may be a perfectly legitimate
message, but it breaks the chain of accountability and is
indistinguishable from a forged e-mail without more costly measures such
as digital signatures (and this message is an example of why digital
signatures are hardly foolproof themselves...)

For some reason that I do not clearly understand this offends Mr.
Woodhouse's delicate sensibilities, so he pops up here to complain about
it on an irregular basis.

Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        

Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
Powered by Listbox: http://www.listbox.com

Attachment: signature.asc
Description: OpenPGP digital signature