Educause Security Discussion mailing list archives

Re: Anyone using SPF/SRS/SenderID ?

From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Wed, 6 Jan 2010 11:23:36 -0600

I've yet to see a real benefit to these techniques.

At the moment, I am pinning my hopes on DKIM, merely as a way toimplement whitelisting.


https://spaces.internet2.edu/display/ddx/

Jesse

On 1/5/2010 5:43 PM, Andrew Daviel wrote:

Following the hype a few years back, I created an SPF record for us.
But because of the problems with road warriors and mail forwarding, it's
still set to "neutral".

I've had SRS on my to-do list for a while, and was just looking at a
project which integrates SRS into sendmail.

Is anyone actually using this, or is it a technology of interest only to
bulk mailers ? (I understand that many universities are also bulk
mailers, but I guess they may outsource this)


If I understand this stuff correctly, our SPF record says "mail from
example.com may or may not come from 192.168/16", because
1) some users are on sabbatical at example.ac.uk, and mail out via
172.16/12
as joe () example com
2) users from example.ac.uk on sabbatical here may forward mail
from bert () example com to bert () example ac uk, which will see it coming
from 192.168/16 instead of the original domain
3) users from Britain on sabbatical in Japan have mail for
ann () example ac uk forwarded to ann () example ac jp.
If fred () example com mails ann () example ac uk, example.ac.jp will
see it coming from 172.16/12 not 192.168/16

#1 we can fix through education. Many people now use webmail which
sidesteps the issue
#2 we can fix with SRS which rewrites the return path
#3 we have no control over. If we set our SPF record to "fail" then we
need example.ac.uk to implement SRS otherwise example.ac.jp could reject
mail from fred () example com as spam


https://www.microsoft.com/presspass/press/2007/apr07/04-18SenderIDPR.mspx
"Sender ID Framework Reaches Tipping Point"
http://www.openspf.org/SRS
http://www.openspf.org/

(I see that senderID and SPF are different but confused to the point of
senderID potentially borking some SPF users :-( )
senderID I think requires forwarders to add a "Sender" or "Resent-From"
header, but I haven't fully checked.


--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Anyone using SPF/SRS/SenderID ? Andrew Daviel (Jan 05)
- <Possible follow-ups>
- Re: Anyone using SPF/SRS/SenderID ? Jesse Thompson (Jan 06)
- Re: Anyone using SPF/SRS/SenderID ? Ed Gibson (Jan 06)
- Re: Anyone using SPF/SRS/SenderID ? Jesse Thompson (Jan 07)
- Re: Anyone using SPF/SRS/SenderID ? Andrew Daviel (Jan 07)
- Re: Anyone using SPF/SRS/SenderID ? Jesse Thompson (Jan 08)