Mailing List Archive

minor SIDF/SPF clarification
I know you're all excited to see another SIDF/SPF clarification question. :-)

The doc at http://www.openspf.org/SPF_vs_Sender_ID says:

"If you have published an v=spf1 policy to protect the use of your domain in the MAIL FROM and HELO addresses, Sender ID implementations that
apply your policy to PRA (per RFC 4406) will reject your mail if you use your domain in the "From" (or generally PRA) header field while sending
from (MAIL FROM) another system."

...but only if the "other system" IP is not included in the SPF record for your protected domain, right? Isn't that an important clarification
to make in that sentence? It makes it sound as if using third-party systems is impossible with SID.

And as an aside, why doesn't that page mention forwarding / mailing lists anywhere? Is that not one of the most common causes of problems with
SID (e.g. having to add a Sender header, etc)?

Also, regarding the quote above: isn't it only true if the policy uses -all? (Perhaps that's implied with "policy to protect the use of your
domain".)

Not trying to be critical, just wanting to know if I'm misunderstanding.

Perhaps the rewrite would be:

"If you have published a v=spf1 policy with the "-all" token to protect the use of your domain in the MAIL FROM and HELO addresses, and you send
mail from an IP not covered by your policy, and if you use your domain in the "From" header field (or, generally, the PRA), then Sender ID
implementations may apply your policy to the PRA (per RFC 4406) and may reject your mail.

If using "-all", you may also face rejection if your mail is forwarded through a system whose IP is not in your policy (e.g. a mailing list)."

Am I close??

Thanks,
-c
**



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101203205107:F57131DE-FF48-11DF-A6CE-E661F559ED1D
Powered by Listbox: http://www.listbox.com
Re: minor SIDF/SPF clarification [ In reply to ]
spfhelp@caseyconnor.org wrote:

>I know you're all excited to see another SIDF/SPF clarification
>question. :-)
>
>The doc at http://www.openspf.org/SPF_vs_Sender_ID says:
>
>"If you have published an v=spf1 policy to protect the use of your
>domain in the MAIL FROM and HELO addresses, Sender ID implementations
>that
>apply your policy to PRA (per RFC 4406) will reject your mail if you
>use your domain in the "From" (or generally PRA) header field while
>sending
>from (MAIL FROM) another system."
>
>...but only if the "other system" IP is not included in the SPF record
>for your protected domain, right? Isn't that an important clarification
>
>to make in that sentence? It makes it sound as if using third-party
>systems is impossible with SID.
>
>And as an aside, why doesn't that page mention forwarding / mailing
>lists anywhere? Is that not one of the most common causes of problems
>with
>SID (e.g. having to add a Sender header, etc)?
>
>Also, regarding the quote above: isn't it only true if the policy uses
>-all? (Perhaps that's implied with "policy to protect the use of your
>domain".)
>
>Not trying to be critical, just wanting to know if I'm
>misunderstanding.
>
>Perhaps the rewrite would be:
>
>"If you have published a v=spf1 policy with the "-all" token to protect
>the use of your domain in the MAIL FROM and HELO addresses, and you
>send
>mail from an IP not covered by your policy, and if you use your domain
>in the "From" header field (or, generally, the PRA), then Sender ID
>implementations may apply your policy to the PRA (per RFC 4406) and may
>reject your mail.
>
>If using "-all", you may also face rejection if your mail is forwarded
>through a system whose IP is not in your policy (e.g. a mailing list)."
>
>Am I close??
>
You aren't wrong. It's certainly possible to write an SPF record that covers the superset of SPF and SIDF requirements, but that is written from the perspective of a record written just for SPF. The primary point is that due to SIDF reuse of SPF records (which was a unilateral Microsoft decision made after the IETF MARID working group was shut down) causes any SPF user to be an involuntary SIDF user and this can cause problems.

Fortunately SIDF never really took off and DKIM is rapidly filling the niche it was aimed for. That statement was the joint work of a number of people and so I don't feel comfortable changing it without dire need.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101204082233:8BF2BB86-FFA9-11DF-A40E-C1A8D0EA4EB6
Powered by Listbox: http://www.listbox.com
Re: minor SIDF/SPF clarification [ In reply to ]
On lør 04 dec 2010 02:49:22 CET, wrote

> If using "-all", you may also face rejection if your mail is
> forwarded through a system whose IP is not in your policy (e.g. a
> mailing list)."

what mailllist does this ?

envelope sender changes, but from: keeps as me@junc.org no ?

> Am I close??

try again :)

--
xpoint



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101204102718:F92275A0-FFBA-11DF-861D-EB6BF559ED1D
Powered by Listbox: http://www.listbox.com
Re: minor SIDF/SPF clarification [ In reply to ]
On Saturday, December 04, 2010 10:26:43 am Benny Pedersen wrote:
> On lør 04 dec 2010 02:49:22 CET, wrote
>
> > If using "-all", you may also face rejection if your mail is
> > forwarded through a system whose IP is not in your policy (e.g. a
> > mailing list)."
>
> what mailllist does this ?
>
> envelope sender changes, but from: keeps as me@junc.org no ?
>
> > Am I close??
>
> try again :)

He's talking about Sender ID, which uses the body From, so it's not him that
needs to try again.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101204115517:4DE78722-FFC7-11DF-8E5E-B8F3C5F4DBAC
Powered by Listbox: http://www.listbox.com
Re: minor SIDF/SPF clarification [ In reply to ]
On lør 04 dec 2010 17:55:07 CET, Scott Kitterman wrote
> He's talking about Sender ID, which uses the body From, so it's not him that
> needs to try again.

ups sorry, but why keep using a bad implemention then ?

--
xpoint



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101204140454:5FE74CD4-FFD9-11DF-B2A1-C691CD49BE44
Powered by Listbox: http://www.listbox.com
Re: minor SIDF/SPF clarification [ In reply to ]
On Saturday, December 04, 2010 02:04:37 pm Benny Pedersen wrote:
> On lør 04 dec 2010 17:55:07 CET, Scott Kitterman wrote
>
> > He's talking about Sender ID, which uses the body From, so it's not him
> > that needs to try again.
>
> ups sorry, but why keep using a bad implemention then ?

The major point of the article he's discussing is that you can't avoid Sender
ID if you publish a record and you are sending mail to someone that uses
Sender ID. Fortunately almost no one does this.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101204142345:02751A24-FFDC-11DF-B6FE-BA94F559ED1D
Powered by Listbox: http://www.listbox.com
Re: minor SIDF/SPF clarification [ In reply to ]
>> I know you're all excited to see another SIDF/SPF clarification
>> question. :-)
>>
>> The doc at http://www.openspf.org/SPF_vs_Sender_ID says:
>>
>> "If you have published an v=spf1 policy to protect the use of your
>> domain in the MAIL FROM and HELO addresses, Sender ID implementations
>> that
>> apply your policy to PRA (per RFC 4406) will reject your mail if you
>> use your domain in the "From" (or generally PRA) header field while
>> sending
> >from (MAIL FROM) another system."
>> ...but only if the "other system" IP is not included in the SPF record
>> for your protected domain, right? Isn't that an important clarification
>>
>> to make in that sentence? It makes it sound as if using third-party
>> systems is impossible with SID.
>>
>> And as an aside, why doesn't that page mention forwarding / mailing
>> lists anywhere? Is that not one of the most common causes of problems
>> with
>> SID (e.g. having to add a Sender header, etc)?
>>
>> Also, regarding the quote above: isn't it only true if the policy uses
>> -all? (Perhaps that's implied with "policy to protect the use of your
>> domain".)
>>
>> Not trying to be critical, just wanting to know if I'm
>> misunderstanding.
>>
>> Perhaps the rewrite would be:
>>
>> "If you have published a v=spf1 policy with the "-all" token to protect
>> the use of your domain in the MAIL FROM and HELO addresses, and you
>> send
>> mail from an IP not covered by your policy, and if you use your domain
>> in the "From" header field (or, generally, the PRA), then Sender ID
>> implementations may apply your policy to the PRA (per RFC 4406) and may
>> reject your mail.
>>
>> If using "-all", you may also face rejection if your mail is forwarded
>> through a system whose IP is not in your policy (e.g. a mailing list)."
>>
>> Am I close??
>>
> You aren't wrong. It's certainly possible to write an SPF record that covers the superset of SPF and SIDF requirements, but that is written from the perspective of a record written just for SPF. The primary point is that due to SIDF reuse of SPF records (which was a unilateral Microsoft decision made after the IETF MARID working group was shut down) causes any SPF user to be an involuntary SIDF user and this can cause problems.
>
> Fortunately SIDF never really took off and DKIM is rapidly filling the niche it was aimed for. That statement was the joint work of a number of people and so I don't feel comfortable changing it without dire need.
>
> Scott K

Thanks, and fair enough on not wanting to change it; especially as the relevance of the document diminishes with time, I guess this is
increasingly making a mountain out of a molehill. It's just too bad that forwarding isn't discussed, since that page seems (to my google
searching) to be the "here's the last word on the subject" link, and all the other pages seem lacking.

Re: an SPF record that covers the superset: it wouldn't be practical/possible/scalable or even desirable to include all the IPs of every mailing
list or forwarder your domain might be sending to, would it? (In most cases, anyway?) Anyway I guess that's the reason you suggest the dummy
SIDF records.

Thanks again,
-c


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101204155941:6B9D5A2C-FFE9-11DF-BC59-8902F6BAEA09
Powered by Listbox: http://www.listbox.com