On Wed, Mar 10, 2004 at 06:08:35PM -0600, Bob Apthorpe wrote:
> > At 02:58 PM 3/10/2004, Mark C. Langston wrote:
> > >With SPF, I can decide whether or not MY domains use SPF. However, I have
> > >no control over whether the service currently providing my IP transit is
> > >using SPF, and thus whether any mail sent by me while using
> > >that transit is going to be affected by SPF (e.g., transparent proxies).
> >
> > I think you're misunderstanding something. The publishing side of SPF
> > resides solely in your DNS server. The verification side resides solely in
> > the receiving mail server. The outgoing SMTP server doesn't care about SPF.
>
> I believe that what Mark is getting at is that if
>
> - he prefers (say) to use his AOL address everywhere and
>
> - he sends mail using his AOL address through Earthlink's server, and
>
> - AOL publishes restrictive ("v=spf1 mx -all") SPF records
>
> then any system that makes delivery determinations based on SPF would
> refuse, drop, or badly score his mail. Essentially, he's screwed because
> he doesn't control spoofing policy for his AOL address, AOL does. And
> that's a problem, at least for him and for everyone else relying on the
> current model of lax spoofing policy.
This is *only* envelope spoofing. AOL has every right to deny Mark to
cause problems for AOL. AOL is the one processing the bounces if Mark
is doing something wrong. Could be as silly as "[EMAIL PROTECTED]".
Easy way out: use your/a local address as envelope sender (RFC821), use
your aol address in "From:" (the RFC822 part).
This is something that can be implemented at the MUA and/or the MTA. Where
it is best to do so depends on the setup. It is something the systems
administrator can do; no user intervention needed.
This is, BTW, a solution for the forwarding problem as well. If your
MTA is sending messages to my MTA, I will deliver the resulting bounce
to your MTA and NOT TO $innocent_third_party.
Alex
--
begin sig
http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1
This message was produced without any <iframe tags
