On Mon, 24 Jul 2006, Ramprasad wrote:
> > Except = SPF breaks email forwarding. It requires that the world
> > change how email is forwarded and that's not going to happen. Thus if
> > a bank has a hard fail and someone with an account on my server gets
> > email from an account that is forwarded then my server sees the email
> > as coming from an illegitimate source.
[snip..]
> Yes SPF breaks email forwarding, so does PTR checking ( which never was
> a great idea IMHO ). Every technique has some drawbacks. SPF has some
> but is still better than the rest
> When you want add security to an inherently insecure medium you cant say
> I will not change my servers.
> You want to put a .forward and receive mails from banks, get you mail-
> admin to use SRS. What is unreasonable in that ?
An even better way to deal with this scenario; tell your customer:
"When you forward mail thru a 3'rd party it introduces potential
security risks. Your bank is not willing to tolerate those risks and
demands (via SPF-hardfail) that their messages get delivered directly
to their customers. When you (the customer) change ISPs you need to
go to your bank-account's profile and update the e-mail address.
To maintain security and reliability of delivery you should want to
do this."
That little dialog should impress the customer with your sincerity
and their bank's commitment to security (as well as redirect any
potential complaints to the bank, the bank made us do this ;).
It's also the simple truth. The analogy would be, if you move you
file a change-of-address with your bank, you don't trust the people
at your old apartment to always forward your bank statements to
your new home.
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
