Michael Deutschmann wrote:
On Fri, 10 Jul 2009, Alessandro Vesely wrote:
Michael Deutschmann wrote:
> The problem is that, like Microsoft SenderID, V-SPF is compromising the
> effectiveness of G-SPF by leading senders to be timid in their SPF records.
I don't see much differences among various flavors (G, V, D) of SPF.
Senders who mean SPF to only be used for whitelisting desire that
receivers set, say, whitelist_from_spf in sa, and already have ~all or
?all to choose from. Senders who mean SPF to also reject forgeries set
-all.
But this approach hurts the mailboxes where a forwarder whitelist is
available. If the sender had given the whole story in its SPF record, the
receiver could reject forgeries with no false positive risk.
I got it: you mean a site where all users use SUBMIT properly, but are
worried about unwittingly forwarded messages that they cannot control.
They would want to tell receivers to drop forgeries unless they come
from forwarders.
The problem is that you have no way, except by carefully checking
Received and DKIM-Signature headers, to know whether a message has
been forwarded. If such a method existed, a "forwarder" mechanism
would be welcome. One could say +forwarder, ~forwarder, or whatever,
which would match when the connecting client is a forwarder.
What about forwarders who happened to miss that whitelist?
Look at it this way -- there are five kinds of practical forwarding
problem mitigation:
Crap Receiverside -- Treat all SPF results as if they were the most
permissive of the actual result and Neutral.
?forwarder ?all
Elite Receiverside -- Use a forwarder whitelist to give a virtual Pass to
forwarded mail, otherwise apply actual SPF result.
+forwarder -all (this breaks SPF as an authentication mechanism)
But the G-SPF/V-SPF confusion costs SPF a chance to shine when Elite
mitigation is available.
Yes, mail domains cannot have sharp SPF records because they cannot
control whether their _recipients_ use forwarding. Forwarding is a
recipient side mechanism, meant to be transparent to senders.
If you introduce a sender's control on forwarding, the difference
between using SUBMIT and relaying through the connection provider's
facility is nullified by adding that facility to the forwarders whitelist.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com