> On Mon, Mar 08, 2004 at 06:34:23PM -0800, Bart Schaefer wrote: > > So ... SPF is supposed to apply to the envelope-sender address, not the > > From: header address. But SA generally doesn't have access to > the former. > > How can SPF be applied as a reliable test within SA? > > Isn't this line available to SPF ? > > In the headers of your message: > From [EMAIL PROTECTED] > Received: from mail.apache.org (daedalus.apache.org [208.185.179.12]) > > No SPF record for incubator.apache.org, the current SPF library > makes an educated guess. > > Fake a record "v=spf1 mx/24 ~all" > (or something similar; not important for the discussion) > > MX record for incubator.apache.org is mail.apache.org > Address of mail.apache.org is 208.185.179.12 > Address of sending host is 208.185.179.12 (confirmed) > > 208.185.179.12 is in the same /24 as 208.185.179.12 is. > Faked SPF returns OK. > The problem with that is that it takes no account of forwarding.
Domain A, B and C. If I send a mail from domain A to domain B, that is then forwarded to domain C it will appear to be spoofed as domain B is not in domain A's SPF records. This is what SRS (http://spf.pobox.com/srs.html) was designed to fix. However SRS only works on the envelope sender NOT the from address in the headers. So if SA does SPF on the From header it's going to break forwarding and mail redirection.... even if you are using the SPF methodology of forwarding (SRS). I have to say that I'm still much more into the Microsoft idea of putting all this in the headers and keeping with the RFCs. Has anyone else read their plan? I've seen to talk about it. Can anyone here poke the same huge hole in the MS plan as with the SPF plan? I can't. If anyone would like to read their plan and tell me why it's not better than SPF I would love to hear the argument. You can find the details here: http://www.microsoft.com/mscorp/twc/privacy/spam_callerID.mspx Nick
