MH Michael Hammer (5304) wrote:
From: Jeff Macdonald [mailto:[email protected]]
nice. We also do both for our clients, but RFC5321From and RFC5322From
are different domains, so for spf2.0 we specify PRA.
For our website domains we require that the RFC5321Mailfrom and the
RFC5322From match for all outgoing mail. Specifying PRA for spf2.0
invites certain kinds of attacks that will gain the attacker a neutral
for PRA check.
Right, like this list message. A PRA check would of provided a SoftFail.
It came in with a 5321.MailFrom:
[email protected]
which unfortunately doesn't support SPF. :-(
If this mailers at the very least supported submitter, it would of used:
MAIL From:<[email protected]> [email protected]
This would allow receivers to lower their overhead by checking at the
SMTP level. Instead, our server did a bunch of checks.
--
Sincerely
Hector Santos
http://www.santronics.com
