Re: [mailop] Effeciveness (or not) of SPF

Tue, 08 Dec 2020 01:32:32 -0800 

On 07/12/2020 21:47, John Levine via mailop wrote:



Forwarders are one of the things that don't respond well to SPF.  But
honestly, it's 2020 ... why are we forwarding mail to external services?
SRS might be a bandaid for this, but isn't the easiest solution to just
tell people that forwarding mail to external servers is bad (mmkay).

Uh, no. I have lots of users with role accounts who read their mail at
gmail.  Forwarding is as useful as it ever was, even though it is ever
harder to to do successfully.

The fact that SPF can't handle forwarded mail is a failure of SPF, not
a bug in forwarding.



We have to be careful not to prescribe that the old way of doing things 
is sacrosanct. The world changes.



I remember when I could have emailed you by sending a message to 
johnl%taugh.com%microsoft....@ibm.com and it would have got to you. No 
one (I hope) nowadays would say that is an acceptable way of doing things.



Forwarding is still useful nowadays, but 'willy nilly' forwarding 
shouldn't be. Nowadays, there needs to be a way to limit forwarding to 
the forwarding you actually want to happen. The risk of spoofed mail can 
be catastrophic for a company, and because forwarded mail looks very 
similar to spoofed mail, there needs to be a way to differentiate them.



If you're forwarding to your own company's mail server, then it should 
be easy to have that forwarding work with SPF, and if you're forwarding 
to someone like gmail, then, to be honest, it should be relatively 
trivial for them to *USE* SPF to allow forwarding to them. I could tell 
Google to allow a specific domain to forward to me (the domain of the 
forwarder), and they use the SPF record for that domain to validate the 
IP addresses that can then forward and override other SPF checks.



Or forwarders could add a digital signature to a header, and the user 
somehow tells the forwarding target the public key to validate that 
signature for forwarders they want to allow that would then bypass SPF 
checks. (This would be better than the IP checking way, but would 
require a new standard)


--

Paul
Paul Smith Computer Services
supp...@pscs.co.uk - 01484 855800


--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop























					Reply via email to