[mail-vet-discuss] Reworked section 2 (for -13)

Dotzero dotzero at gmail.com
Wed Mar 12 08:37:05 PDT 2008 

On 3/12/08, Murray S. Kucherawy <msk at sendmail.com> wrote:
> Dotzero wrote:
> > After reviewing section 2.4.3 I think it should be split out
> > separately for SPF and Sender-ID. A pass for SPF does not mean the
> > same thing as a pass for SIDF. Conflating the two is a recipe for
> > problems. Mail From pass from SPF is totally different from PRA pass
> > from SIDF.
> >
> Well actually now I'm not sure why you think that.  The spec doesn't say
> a pass from one is the same as a pass from the other; you could
> certainly have "spf=pass" and "sender-id=hardfail" in an A-R header or
> pair of headers.  The spec only says under what circumstances you would
> use "pass" in each case.  Both mechanism asks the same question: Was the
> client authorized to send by domain's policy (however that got
> evaluated)?  And it seems to be both mechanisms are sufficiently similar
> that they have overlapping answer sets.  That's why I grouped them when
> enumerating possible results.
> _______________________________________________
> NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
>

Notwithstanding Scotts comment, I was thinking of the case of SIDF
where there is an arbitrary Sender field.

In this case, the policy checked is that of the domain from the
RFC2822 Sender field and not the domain of the RFC 2821 Mail From
field.

The meaning of a pass (and the check itself) is totally different in
this case compared to a pass for an SPF check of RFC2821 Mail From at
the transport layer.

So we start with this:

" pass:  The client is authorized to inject or relay mail on behalf of
the sender's domain."

But what we are really should be saying is:

In the case of SPF (RFC4408), it should read something like this:

 " pass:  The client is authorized to inject or relay mail on behalf
of the RFC2821 Mail From domain."

In the case of SIDF (RFC 4406), it should read something like this:

 " pass:  The PRA is authenticated as either RFC2822  From or Sender
domain or if no SPF2 record is present an evaluation of the RFC2821
Mail From domain SPF1 record."

I know I'm not expressing the latter case exactly correct but I hope
I'm getting my point across. They are not evaluated the same and a
pass is not the same thing.

More information about the mail-vet-discuss mailing list