[119996] in North American Network Operators' Group
Re: SPF Configurations
daemon@ATHENA.MIT.EDU (Douglas Otis)
Mon Dec 7 14:21:01 2009
From: Douglas Otis <dotis@mail-abuse.org>
In-Reply-To: <4B1D4094.9020303@csuohio.edu>
Date: Mon, 7 Dec 2009 11:20:09 -0800
To: Michael Holstein <michael.holstein@csuohio.edu>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 7, 2009, at 9:51 AM, Michael Holstein wrote:
>=20
>> The problem we face is that some people we work with can't do that
>=20
> Then explain that client-side (their users, to whom they send mail) =
are probably using Hotmail, et.al. and SPF will simply not allow =
"spoofing" which is what they want to do, unless they either :
>=20
> A) add the SPF record as previously mentioned. It's a TXT record under =
their root and isn't hard at all.
An authorization tied to a PRA or Mail =46rom will not prevent spoofing, =
it just constrains the risks to those with access to a provider's =
service.
A provider could insure a user controls the =46rom email-address, but =
this would conflict with the IP path registration schemes.
=20
> B) permit you to use a subdomain (like =
"user@theircompanymail.yourdomain.com").
A provider can ensure any signed =46rom email-address is controlled by =
its users by using ping-back email confirmations appended to user =
profiles.
There is a proposal aimed at reducing DNS overhead and scalability =
issues associated with the all-inclusive IP address path registration =
scheme with its inability to cope with forwarded email:
http://tools.ietf.org/html/draft-otis-dkim-tpa-label-03
Use of this DKIM extension can safely accommodate a user's desire to =
authorize third-party signatures to protect acceptance of =46rom headers =
within domains that differ from the DKIM signature. DKIM does not need =
to change.
Once IPv6 and international TLDs come into the mix, having users "vote" =
(authorize) DKIM providers could better determine what new domains can =
be trusted, and help ensure users are allowed to utilize their own =
language and to seek assistance in obtaining acceptable IPv6 =
connectivity. =20
-Doug
