On Tue, 5 Feb 2008, Alessandro Vesely wrote:
Especially if forwarders publish SPF records for the forwarded domains
(receivers can validate an alias forwarder by comparing the IP against the
SPF
records of valid forwarded domains for that recipient - a technique I've
called checking the "pretend domain").
While that is a possible solution, I don't 100% agree that changing the
envelope sender perfectly suits all cases. If a forwarder can be
whitelisted, in many cases the original envelope sender can be fine.
The "pretend domain" does *not* change the envelope sender. Instead,
the receiver ignores the envelope sender while checking the IP against
a list of authorized forwarder domains, using each forwarder domain in
turn in place of envelope sender for an SPF check. As suggested by
others, the AUTH= ESMTP keyword provided by the forwarder could be used to
provide a "hint", and avoid having to check the entire list. But that is an
optimization, and not required for proper operation.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=93818001-e31172
Powered by Listbox: http://www.listbox.com