Re: is it just me or...

[Tom Ivar Helbekkmo via NANOG <nanog () lists nanog org>]

Bjørn Mork <bjorn () mork no> writes:

> Tom Ivar Helbekkmo via NANOG <nanog () lists nanog org> writes:
>
> > SPF broke forwarding, both for individual recipients, and through email
> > distribution lists, because the forwarding server wasn't on the list.
>
> This is not entirely precise.  It broke traditional alias forwarding,
> where the forwarding server would reuse the original envelope sender.
> But SPF does not break forwarding as long as the forwarding server use
> its own proxy envelope sender.  Mailing lists have traditionally
> "always" done this, even before SPF. Remember the "owner-" aliases?

Yes, of course.  I didn't want to get into all the details, like the
difference between envelope and header senders, in what was an attempt
at clarifying the basic functionality and purpose of these mechanisms.

> The big problem with DMARC is that it ties SPF to the From header field,
> so changing the envelope sender will not work anymore.  This forces the
> forwarder to mess with the From field to align it with a SPF valid
> envelope.  Which again will break any existing DKIM signature.  Which of
> course can be worked around by adding another DKIM signature.

Well, no.  If the forwarder specifies a proxy envelope sender, and
doesn't change the "From:" header, SPF will not be aligned, but the
original DKIM signature will be valid, so DMARC verification will pass.

It's certainly far from perfect, but DMARC does allow some scenarios to
work that wouldn't with just SPF and DKIM, ignorant of each other.

-tih
-- 
The creation of the state of Israel was a regrettable mistake.  It is
time to undo this mistake, and finally re-establish a free Palestine.
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/5TWL6PU7VKXVY2T7JSPOT2RJON2377QN/