On Tue, Dec 8, 2020 at 1:31 AM Paul Smith via mailop <mailop@mailop.org> wrote:
> On 07/12/2020 21:47, John Levine via mailop wrote: > > > >> Forwarders are one of the things that don't respond well to SPF. But > >> honestly, it's 2020 ... why are we forwarding mail to external services? > >> SRS might be a bandaid for this, but isn't the easiest solution to just > >> tell people that forwarding mail to external servers is bad (mmkay). > > Uh, no. I have lots of users with role accounts who read their mail at > > gmail. Forwarding is as useful as it ever was, even though it is ever > > harder to to do successfully. > > > > The fact that SPF can't handle forwarded mail is a failure of SPF, not > > a bug in forwarding. > > We have to be careful not to prescribe that the old way of doing things > is sacrosanct. The world changes. > > I remember when I could have emailed you by sending a message to > johnl%taugh.com%microsoft....@ibm.com and it would have got to you. No > one (I hope) nowadays would say that is an acceptable way of doing things. > > Forwarding is still useful nowadays, but 'willy nilly' forwarding > shouldn't be. Nowadays, there needs to be a way to limit forwarding to > the forwarding you actually want to happen. The risk of spoofed mail can > be catastrophic for a company, and because forwarded mail looks very > similar to spoofed mail, there needs to be a way to differentiate them. > > If you're forwarding to your own company's mail server, then it should > be easy to have that forwarding work with SPF, and if you're forwarding > to someone like gmail, then, to be honest, it should be relatively > trivial for them to *USE* SPF to allow forwarding to them. I could tell > Google to allow a specific domain to forward to me (the domain of the > forwarder), and they use the SPF record for that domain to validate the > IP addresses that can then forward and override other SPF checks. > That feature was on my backlog at Gmail for a long time, but never high enough priority to get off it... now it would probably use ARC instead unless that becomes a pipe dream, at least theoretically with ARC we could just learn it and not worry about the user interface and confusing users. > Or forwarders could add a digital signature to a header, and the user > somehow tells the forwarding target the public key to validate that > signature for forwarders they want to allow that would then bypass SPF > checks. (This would be better than the IP checking way, but would > require a new standard) > that's basically ARC. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
