Re: SPF and mail forwarding (was Re: [nznog] Sendmail Question)
In message <8AC558B6BC09CD42BCAF3C667E2A88CC0FC838(a)red.IFM.local>, Philip D'Ath writes:
Ewen McNeill writes:
It would be very helpful if operators that provide a mail forwarding service (eg, just about every ISP that provides mail services) were to do the forwarding in a SPF-compatible manner.
Wouldn't it be easier to just get those people using SPF that forward through an ISP to include their ISPs server in the permitted list (which is what we do)?
Alas, this doesn't solve the problem except if you do what I resorted to doing -- for now anyway -- and say "the mail could come from any mail server I guess" ("?all" at the end of the SPF record). Why? To take an actual recent example, I host the Wellylug mailing list and website. The Wellylug website has a feature whereby users can subscribe to "meeting reminders", sent out by email shortly before the monthly meetings. usera(a)ispa was one address so subscribed. Unfortunately usera(a)ispa actually forwards mail to userb(a)ispb, without rewriting the envelope from address -- unknown to anyone else until the mail bounced because the SPF check failed (due to the message now coming from a mail server which wasn't in the SPF list for the domain in the envelope from). Given N subscribers to such a list, at M ISPs, the list of "mail servers the mail might come from" soon grows without bound, especially if one considers that the mail may be forwarded more than once (and yes, I encounter multiple forwards fairly often). As I said, this "what happens to forwarded mail" issue is the single biggest (and most contraversal) problem with SPF. And given that more sites are doing SPF checks it would be very helpful if more ISPs that provide mail forwarding services to their customers did so in a SPF-compatible way. Ewen PS: You might argue that users subscribing to such services should subscribe their final destination address, rather than one that forwards on to another account. However even ignoring the reasons why one might wish to subscribe an address the forwards somewhere else, the chances of all users acquiring such clue to do so seems... low.
On Sat, Nov 27, 2004 at 12:20:03PM +1300, Ewen McNeill wrote:
usera(a)ispa was one address so subscribed. Unfortunately usera(a)ispa actually forwards mail to userb(a)ispb, without rewriting the envelope from address -- unknown to anyone else until the mail bounced because the SPF check failed (due to the message now coming from a mail server which wasn't in the SPF list for the domain in the envelope from).
Perhaps I'm a little confused, but if usera is rejecting mail from servers that he has arranged to forward him mail, that's his own silly fault? Richard
participants (2)
-
Ewen McNeill -
Richard Hector