SPF Configurations

Douglas Otis dotis at mail-abuse.org
Mon Dec 7 13:20:09 CST 2009


On Dec 7, 2009, at 9:51 AM, Michael Holstein wrote:

> 
>> The problem we face is that some people we work with can't do that
> 
> Then explain that client-side (their users, to whom they send mail) are probably using Hotmail, et.al. and SPF will simply not allow "spoofing" which is what they want to do, unless they either :
> 
> A) add the SPF record as previously mentioned. It's a TXT record under their root and isn't hard at all.

An authorization tied to a PRA or Mail From will not prevent spoofing, it just constrains the risks to those with access to a provider's service.

A provider could insure a user controls the From email-address, but this would conflict with the IP path registration schemes.
 
> B) permit you to use a subdomain (like "user at theircompanymail.yourdomain.com").

A provider can ensure any signed From email-address is controlled by its users by using ping-back email confirmations appended to user profiles.

There is a proposal aimed at reducing DNS overhead and scalability issues associated with the all-inclusive IP address path registration scheme with its inability to cope with forwarded email:

http://tools.ietf.org/html/draft-otis-dkim-tpa-label-03

Use of this DKIM extension can safely accommodate a user's desire to authorize third-party signatures to protect acceptance of From headers within domains that differ from the DKIM signature.  DKIM does not need to change.

Once IPv6 and international TLDs come into the mix, having users "vote" (authorize) DKIM providers could better determine what new domains can be trusted, and help ensure users are allowed to utilize their own language and to seek assistance in obtaining acceptable IPv6 connectivity.  

-Doug





More information about the NANOG mailing list