WebMaster@Commerco.Net wrote: > At 01:00 PM 12/21/2007, you wrote:
>> David Woodhouse wrote:
>> > On Fri, 2007-12-21 at 14:15 +0000, Julian Mehnle wrote:
>> >> What you don't seem to get is that SPF is an opt-in system. If YOU
>> >> want YOUR mail to be subject to that clear redefinition, don't
>> publish an
>> >> SPF record for YOUR domain. It's that simple.
>> > And if you DO want your mail to be subject to that redefinition, don't
>> > send it by SMTP to mail hosts which are only going to behave like they
>> > have for more than the last two decades, and violate your bogus
>> > assumptions.
>> Forwarding my e-mail without my permission or accounting for my SPF
>> record to a strict SPF checking host will result in a delivery failure.
>> Congratulations, you just denied yourself my e-mail.
>> Yay you.
> Now I am confused (not all that unusual).
> If I forward an email from you (with or without your permission) while
> claiming to be me and passing that email through my strict SPF host, I
> can do that just fine... I think, mostly because I'm not claiming to be
> you, but rather forwarding along a message from you (in the DATA section
> of the SMTP dialogue) with my information in the header (MAIL FROM
> Now if someone is forwarding my email, claiming to be me, I don't care
> for that behavior, thus I have an SPF record in an effort to prevent
> that. Where am I going wrong?
You have a point, permission is irrelevant.
If you send e-mail from your system with a MAIL FROM claiming to be me,
however it got that way, and your system isn't included in my SPF
record, AND you are sending it to a system that rejects mail based on
SPF failures it will not arrive at the addressee.
Since old-style forwarding systems do not change the MAIL FROM to
reflect their inclusion in the mail path that is one way a system could
be sending mail claiming to be "MAIL FROM" me, which is one leg of the
above chain of events. Note that this may be a perfectly legitimate
message, but it breaks the chain of accountability and is
indistinguishable from a forged e-mail without more costly measures such
as digital signatures (and this message is an example of why digital
signatures are hardly foolproof themselves...)
For some reason that I do not clearly understand this offends Mr.
Woodhouse's delicate sensibilities, so he pops up here to complain about
it on an irregular basis.
Daniel Taylor VP Operations Vocal Laboratories, Inc.
Sender Policy Framework: http://www.openspf.org
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78594745-c67d61
Powered by Listbox: http://www.listbox.com