dtaylor at vocalabs
Dec 21, 2007, 12:49 PM
Post #19 of 50
WebMaster [at] Commerco wrote:
> At 01:00 PM 12/21/2007, you wrote:
>> David Woodhouse wrote:
>> > On Fri, 2007-12-21 at 14:15 +0000, Julian Mehnle wrote:
>> >> What you don't seem to get is that SPF is an opt-in system. If YOU
>> >> want YOUR mail to be subject to that clear redefinition, don't
>> publish an
>> >> SPF record for YOUR domain. It's that simple.
>> > And if you DO want your mail to be subject to that redefinition, don't
>> > send it by SMTP to mail hosts which are only going to behave like they
>> > have for more than the last two decades, and violate your bogus
>> > assumptions.
>> Forwarding my e-mail without my permission or accounting for my SPF
>> record to a strict SPF checking host will result in a delivery failure.
>> Congratulations, you just denied yourself my e-mail.
>> Yay you.
> Now I am confused (not all that unusual).
> If I forward an email from you (with or without your permission) while
> claiming to be me and passing that email through my strict SPF host, I
> can do that just fine... I think, mostly because I'm not claiming to be
> you, but rather forwarding along a message from you (in the DATA section
> of the SMTP dialogue) with my information in the header (MAIL FROM
> Now if someone is forwarding my email, claiming to be me, I don't care
> for that behavior, thus I have an SPF record in an effort to prevent
> that. Where am I going wrong?
You have a point, permission is irrelevant.
If you send e-mail from your system with a MAIL FROM claiming to be me,
however it got that way, and your system isn't included in my SPF
record, AND you are sending it to a system that rejects mail based on
SPF failures it will not arrive at the addressee.
Since old-style forwarding systems do not change the MAIL FROM to
reflect their inclusion in the mail path that is one way a system could
be sending mail claiming to be "MAIL FROM" me, which is one leg of the
above chain of events. Note that this may be a perfectly legitimate
message, but it breaks the chain of accountability and is
indistinguishable from a forged e-mail without more costly measures such
as digital signatures (and this message is an example of why digital
signatures are hardly foolproof themselves...)
For some reason that I do not clearly understand this offends Mr.
Woodhouse's delicate sensibilities, so he pops up here to complain about
it on an irregular basis.
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor [at] vocalabs http://www.vocalabs.com/ (952)941-6580x203
Sender Policy Framework: http://www.openspf.org
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78594745-c67d61
Powered by Listbox: http://www.listbox.com