On 10/04/07, Magnus Holmgren <[EMAIL PROTECTED]> wrote: > On Monday 09 April 2007 18:31, Peter Bowyer wrote: > > On 09/04/07, Paul Johnson <[EMAIL PROTECTED]> wrote: > > > Marc Perkel wrote in Article <[EMAIL PROTECTED]> posted to > > > > > > gmane.mail.exim.user: > > > > Just one quick question. Do domain keys break email forwarding the way > > > > SPF does? > > > > > > SPF doesn't break forwarding if you implement SRS... > > > > Correction: SPF doesn't break forwarding if everyone (known or > > unknown) who forwards your mail implements SRS. > > Correction: SPF doesn't break any forwarding that isn't seriously broken in > itself (like me redirecting some of my mail to you without your consent, and > without changing the envelope sender).
Ah, but your definition of 'broken' here is different from 'stops working' - you're (correctly) observing that same-envelope forwarding is (or at least, should be) end-of-life. In itself it still 'works', is still in regular use everywhere, and the likes of Marc P are entitled to observe that SPF 'breaks' it. An architectural 'broken' as opposed to an implementation 'broken'. > SPF doesn't break forwarding if employed carefully. Mail isn't forwarded > totally randomly; in sane configurations a user U tells a system A to forward > his mail to system B. If B wants to enforce SPF, they have to allow U to tell > them about this forwarding, so that an exception can be made. A relatively > secure and not too user-unfriendly way of doing this could be by letting the > user forward their mail to a special address on this form: > user+forwarded-(secret)@domain.example, where (secret) is a sufficiently > random string. ... which is as unlikely to happen as universal SRS. > Otherwise they could specify the IP addresses the forwarded > mail can come from (but that's complicated), or in many cases simply > specifying the mail address forwarded from, letting the SPF-enforcing server > make educated guesses, can work. Indeed, and the SPF project is discussing several alternatives to 'the forwarder problem' which include a formalised way of doing just that. All of them have significant implementation inertia, though. In the meantime, use of SPF to give 'deny' decisions at the border is likely to be unsafe, except where you either are sure about your community of inward forwarders, or don't care about false positives. Likewise, publishing '-all' in your SPF record is only safe when either you know you can control use of your domain in MAIL FROM to a sufficient degree, or you don't care about the same FPs as the receiver doesn't care about. Oh dear, we're straying into a 'dont go there' area for the list's editorial policy. And since I'm co-responsible for enforcing it...... Peter -- Peter Bowyer Email: [EMAIL PROTECTED] -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
