Mailing List Archive

implementation help
Hi,

I am planning to implement spf but had a few queries.

We are a job portal and send mails on behalf of job seekers to
recruiters and vice-a-versa. These mails are triggered from the our
web application, so we send it. When sending the mail on behalf of the
client we use set our email address in the Sender header (RFC 5322).
After reading about spf I gathered that it check the From header. So
in our case the From field and the spf record of the sender don't
match.

What would be the correct way of implementing spf in such a scenario.

Sameer


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: implementation help [ In reply to ]
On Wed, Nov 11, 2009 at 08:33, Sameer Garg <sameer.garg@gmail.com> wrote:
> Hi,
>
> I am planning to implement spf but had a few queries.
>
> We are a job portal and send mails on behalf of job seekers to
> recruiters and vice-a-versa. These mails are triggered from the our
> web application, so we send it. When sending the mail on behalf of the
> client we use set our email address in the Sender header (RFC 5322).
> After reading about spf I gathered that it check the From header. So
> in our case the From field and the spf record of the sender don't
> match.

SPF checks the *envelope* sender, not necessarily the one in the From header.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: implementation help [ In reply to ]
At 08:33 11/11/2009 Wednesday, Sameer Garg wrote:
>Hi,
>
>I am planning to implement spf but had a few queries.
>
>We are a job portal and send mails on behalf of job seekers to
>recruiters and vice-a-versa. These mails are triggered from the our
>web application, so we send it. When sending the mail on behalf of the
>client we use set our email address in the Sender header (RFC 5322).
>After reading about spf I gathered that it check the From header. So
>in our case the From field and the spf record of the sender don't
>match.
>
>What would be the correct way of implementing spf in such a scenario.


ok first off No
SPF checks nothing within the email neither From: nor Sender:
SPF checks envelope-sender or Mail-From and HELO/EHLO
{the content of the smtp command
Mail from:
and
HELO or EHLO

which appear nowhere within the email
{occasionally the end-recipient mail server will record this value in a header
Return-path:
but this header dosn't exist till then
and the HELO/EHLO in the Recieved: header

{it is the address all bounces and non-delivery reports are sent to and must exist, also it MUST be one of yours
not because of your SPF but because getting all your users to convince their admins to alter their SPF to allow you to forge their address would be impossible}

so once you send with an envelope-from that you control,exists,receives bounces and processes them intelligently {manual or automated}
you avoid falling foul of any users SPF policy

you can then feel free to implement your own SPF policy for this address to limit others from forging it elsewhere

--------------
I think you are confusing SPF with the dead {but still used by hotmail and exchange} sender-id protocol
{which mis-appropriated spf records to check the from: and sender: headers}

to avoid problems with sender-id checking you would ensure the "forged users" address is in the from: header and your own address {the one used in the envelope} is in the sender: header
{as when a sender: header exists i believe it ignores the from and checks the sender instead}

to avoid your SPF record and Sender-id record being used interchangeably
its best to explicitly set all 3 {sender id records being the inapropriatly named spf2.0

"v=spf1 ......... will check helo/envelope-sender
"spf2.0/mfrom ...... will check envelope-sender
"spf2.0/pra ..... will check one of from: or sender: or a bunch of others depending on priority

for myself as a non-believer in sender-id i have all my spf2.0/pra terminated ?all ie pass anyway


>Sameer
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com