Re: SPF Configurations

[Douglas Otis <dotis () mail-abuse org>]

On Dec 7, 2009, at 9:51 AM, Michael Holstein wrote:

> > The problem we face is that some people we work with can't do that
>
> Then explain that client-side (their users, to whom they send mail) are probably using Hotmail, et.al. and SPF will 
> simply not allow "spoofing" which is what they want to do, unless they either :
>
> A) add the SPF record as previously mentioned. It's a TXT record under their root and isn't hard at all.

An authorization tied to a PRA or Mail From will not prevent spoofing, it just constrains the risks to those with 
access to a provider's service.

A provider could insure a user controls the From email-address, but this would conflict with the IP path registration 
schemes.
 
> B) permit you to use a subdomain (like "user () theircompanymail yourdomain com").

A provider can ensure any signed From email-address is controlled by its users by using ping-back email confirmations 
appended to user profiles.

There is a proposal aimed at reducing DNS overhead and scalability issues associated with the all-inclusive IP address 
path registration scheme with its inability to cope with forwarded email:

http://tools.ietf.org/html/draft-otis-dkim-tpa-label-03

Use of this DKIM extension can safely accommodate a user's desire to authorize third-party signatures to protect 
acceptance of From headers within domains that differ from the DKIM signature.  DKIM does not need to change.

Once IPv6 and international TLDs come into the mix, having users "vote" (authorize) DKIM providers could better 
determine what new domains can be trusted, and help ensure users are allowed to utilize their own language and to seek 
assistance in obtaining acceptable IPv6 connectivity.  

-Doug