Bjørn Mork <bjorn@mork.no> writes:
Tom Ivar Helbekkmo via NANOG <nanog@lists.nanog.org> writes:
SPF broke forwarding, both for individual recipients, and through email distribution lists, because the forwarding server wasn't on the list.
This is not entirely precise. It broke traditional alias forwarding, where the forwarding server would reuse the original envelope sender. But SPF does not break forwarding as long as the forwarding server use its own proxy envelope sender. Mailing lists have traditionally "always" done this, even before SPF. Remember the "owner-" aliases?
Yes, of course. I didn't want to get into all the details, like the difference between envelope and header senders, in what was an attempt at clarifying the basic functionality and purpose of these mechanisms.
The big problem with DMARC is that it ties SPF to the From header field, so changing the envelope sender will not work anymore. This forces the forwarder to mess with the From field to align it with a SPF valid envelope. Which again will break any existing DKIM signature. Which of course can be worked around by adding another DKIM signature.
Well, no. If the forwarder specifies a proxy envelope sender, and doesn't change the "From:" header, SPF will not be aligned, but the original DKIM signature will be valid, so DMARC verification will pass. It's certainly far from perfect, but DMARC does allow some scenarios to work that wouldn't with just SPF and DKIM, ignorant of each other. -tih -- The creation of the state of Israel was a regrettable mistake. It is time to undo this mistake, and finally re-establish a free Palestine.