On 08/12/2020 09:22, Paul Smith via mailop wrote:
Forwarding is still useful nowadays, but 'willy nilly' forwarding
shouldn't be. Nowadays, there needs to be a way to limit forwarding to
the forwarding you actually want to happen. The risk of spoofed mail
can be catastrophic for a company, and because forwarded mail looks
very similar to spoofed mail, there needs to be a way to differentiate
them.
I see a lot of forwarding between different divisions of the same
company. The UK office runs gsuite and uses example.co.uk. The USA
head office runs on office 365 and uses example.com.
The were checking both accounts, and they just set up a mail forward to
the other one.
Corporate policy says `you must only publish b...@example.com`. So you
see the crazy thing of an email from b...@example.co.uk with
b...@example.com as their email address in the signature.
I'm not saying whether it is right or wrong, but it's a common use case.
On the spoofed bit. Scams are real. I'm pro SPF. But the benefit of
SPF is dimished because you can still send an email like From: A
trusted name <scam...@gmail.com> And the user doesn't see the
domain.
Or forwarders could add a digital signature to a header, and the user
somehow tells the forwarding target the public key to validate that
signature for forwarders they want to allow that would then bypass SPF
checks. (This would be better than the IP checking way, but would
require a new standard)
You mean a bit like a second DKIM signature? Is that possible? Is
that useful? Mailinglists do this ? Could somebody who understands
this a bit better please say what they think ?
--
Tim Bray
Huddersfield, GB
t...@kooky.org
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
