On Mon, 24 Jul 2006, Ramprasad wrote: > > Except = SPF breaks email forwarding. It requires that the world > > change how email is forwarded and that's not going to happen. Thus if > > a bank has a hard fail and someone with an account on my server gets > > email from an account that is forwarded then my server sees the email > > as coming from an illegitimate source.
[snip..] > Yes SPF breaks email forwarding, so does PTR checking ( which never was > a great idea IMHO ). Every technique has some drawbacks. SPF has some > but is still better than the rest > When you want add security to an inherently insecure medium you cant say > I will not change my servers. > You want to put a .forward and receive mails from banks, get you mail- > admin to use SRS. What is unreasonable in that ? An even better way to deal with this scenario; tell your customer: "When you forward mail thru a 3'rd party it introduces potential security risks. Your bank is not willing to tolerate those risks and demands (via SPF-hardfail) that their messages get delivered directly to their customers. When you (the customer) change ISPs you need to go to your bank-account's profile and update the e-mail address. To maintain security and reliability of delivery you should want to do this." That little dialog should impress the customer with your sincerity and their bank's commitment to security (as well as redirect any potential complaints to the bank, the bank made us do this ;). It's also the simple truth. The analogy would be, if you move you file a change-of-address with your bank, you don't trust the people at your old apartment to always forward your bank statements to your new home. Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{