ForwardingSolutions |
Edit | Print this page |
|
Return to FAQ/FEO Discussion of possible solutions to breakage of some types of forwarding, when using designated sender rejection of forgeries. VarA The Verified and Recipient Authorized solution suggested for the designated sender forwarding problem. Set up a sub-domain for inbound fowarded accounts only, which does no designated sender checking at all. Announce to your users that in order for their forwarded mail to be accepted, they need to direct the forward as user@fwd.domain.com instead of user@domain.com. Disadvantages: Spammers know ANYTHING will be accepted by user@fwd.domain.com. However, all types of anti-spam processing other than designated sender checks can still be used on this mail stream. Announce to your users that in order for inbound fowarding to continue working, they need to let you know what accounts they forward into the email system you administrate. You can then set up trust / whitelist of those sources, so that designated sender checking is skipped for those sources. Disadvantages: the sources may change from time to time, you may have whitelisted them by IP and it may be hard to know all the IP addresses or keep them updated. Also users may not be cognizant of where their forwarded accounts originate, even to the point of giving you the email address. Only trust sources who have identified their outbound mail servers using one of the available designated sender formats, and who also assert that they apply anti-forging checks to mail which is inbound to them. Disadvantages: Spammers could pose as a forwarding service in order to get on a trusted list. Trust only well-known sources known to be "forwarding-only" services. Trust all source ISPs whose anti-spam and security precautions you feel are sufficient.
Solutions which can be implemented by the outbound ISP Rewrite user@fwdingISP.com as the envelope-from, leave user@originalsenderISP.com as the header from and if appropriate, header errors-to. If RCPT TO: user@destinationISP.com is rejected, fwdingISP.com is responsible for sending bounce notice to user@originalsenderISP.com. If bounce occurs after destinationISP.com has accepted the full message, destinationISP.com sends bounce to header from or header errors-to.
Solutions which can be implemented by users Eliminate purposeless forwarding of accounts, clean up and consolidate usage of multiple email addresses. Where possible and desireable, consolidate domains you need to forward between, to one hosting ISP. (Forwarding between accounts on domains hosted by the same ISP would in most cases not be subjected to a designated sender check.) In cases where you really need to use fowarded accounts, choose an email forwarding ISP and destination host ISP who have implemented effective anti-forgery policies that work well together.
Partial Adoption Scenario All domains in the world announce their designated senders. Only email systems with no users who need to forward mail from external email systems inbound, become the early adopters of designated sender anti-forgery. ISPs with users who have the need to do inbound forwarding, do not utilize a designated sender check on their inbound servers, until they are able to implement an acceptable solution.
Combination Solutions: Trust outbound servers of well-known forwarding services who have announced their outbound servers. For non-trustable forwarding sources, inform your users to change the address they forward to on your system, to user@fwd.domain.com, and use all forms of anti-spam processing except designated sender checks, on mail received through fwd.domain.com.
Solutions suggested by other designated sender proponents http://spf.pobox.com/objections.html See the section heading "Forwarding and Return-Path" http://spf.pobox.com/srs.html Sender Rewriting Scheme (SRS) |
|
| This page was last edited 4 years ago by AprilDL. | View page history | Edit this page |