Jamie Baddeley
http://www.nwfusion.com/news/2004/0122aoltest.html?net
worth looking at....
It has a nasty fishhook: Consider: I have a mailbox at "me(a)bigisp". You have a vanity domain "vanity" held at an anotherisp, which forwards all mail to it mail to your mailbox "you(a)smallisp". bigisp and smallisp both support SPF; bigisp publishes SPF records pointing only to their own mail forwarders, and smallisp looks them up. So if I send mail me(a)bigisp -> you(a)vanity, anotherisp forwards the message, with envelope addresses me(a)bigisp -> you(a)smallisp, from anotherisp's forwarder. smallisp sees mail from bigisp, but bigisp's SPF record doesn't include anotherisp's forwarder, so smallisp rejects it. Bad bad bad. http://spf.pobox.com/srs.html describes how anotherisp can avoid the problem, but I have to say it looks seriously ugly. And it requires anotherisp to do do something it wouldn't have otherwise had to do. It's not just vanity domains that are affected. Any kind of forwarding, such as forwarding from corporate mail servers to an external address (e.g. home, or place of secondment) will be affected if the external address's mail servers implement SPF. Also, it won't solve the problem. All a spammer has to do is register a vanity domain for a while, create SPF records for all relays they're using (or not use SPF records at all, or just "borrow" other domains that don't have SPF records; there will be heaps of those for many many years), and then forge the header From: address. Who the heck looks at the envelope addresses anyway? Checking the envelope addresses against the header addresses will get false positives against mailing lists etc, which usually rewrite the envelope from address to point back to the mailing list owner. I can't say I like the idea of overloading the SPF functionality on TXT records either. Some kind of "mail source" record type in the DNS would be a better solution, IMAO. But it would need to deal with the third party forwarder problem somehow. It's messy, ugly and ultimately pointless, I'm afraid. -- don