SPF sucks

Michael L Torrie torriem at chem.byu.edu
Wed Jun 27 13:12:36 MDT 2007


In my quest to implement a mixed Google Mail/Postfix mail solution for
my domain, I just came across a situation that shows how SPF really
really sucks and is fundamentally broken.  

Basically SMTP allows e-mail to be relayed from server to server, and
not just passed from one server to one other server.  Along the way each
server adds its headers so you can track the hops back to the sender.
This is perfectly legit.

BUT, if you do it, SPF looks at the last server that handed off the mail
and says, "but wait.  That server isn't authorized to send mail on
behalf of somedomain.com."  That's bogus because the server who relayed
the mail didn't send on behalf of the domain; it just relayed it on
behalf of the server that did.  And SPF thinks that my server is now
forging e-mails from *any* SPF-enabled domain that sends to me.  Of
course it's a tricky problem because SPF cannot just look for any match
in the list of relays, since it can't guaranty that those headers aren't
forged.  So it's a completely and utterly broken system.

Of course, since many people have chosen to use it, I have to now figure
out a workaround.  Which will likely be to have google pick everything
up and then fetchmail certain people's accounts back down to my postfix
server.  Nasty.

So for anyone considering a mixed google mail / normal mail solution,
it's likely not going to work because of SPF.

Michael





More information about the PLUG mailing list