On Saturday 05 January 2008 07:47, Michael Deutschmann wrote:
(I think the way forward is to make forwarder-whitelisting easier, so
that eventually everyone can join the elite class who can deploy
receiverside-SPF safely.)
SPF checks can only safely be done at the boundary between the sender's
network and the receiver's network. Forwarders are agents of the receiver
and so downstream reciever MTAs should not check SPF for messages forwarded
to them.
Recievers can:
1. Not check SPF at downstream MTAs
2. Whitelist forwarders
3. Ignore the problem and accept the false positive risk for forwarded mail
For many receivers, forwarded mail is a noise level problem. Additionally, in
every case of forwarded mail being rejected due to SPF that I've
investigated, the correct final e-mail address was included in the reject
message making it trivial to resend to the correct address.
For others the false positive rate is to much to bear. Forwarder whitelisting
is supported in the current version of Python Postfix policy server:
http://www.openspf.org/Software#python-postfix-policyd-spf
Per-user forwarder whitelisting is on my TODO list for the application.
Scott K
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=82195679-78918f
Powered by Listbox: http://www.listbox.com