On Mon, Mar 09, 2015 at 07:16:59AM +0100, Sebastian Nielsen wrote:
> I understand. What I do with the SPF signature checker, is to
> unconditionally add a header that looks like this:
> X-SPF-Signature: none (dukhovni.org: No applicable sender policy available)
> receiver=server-desktop; identity=mailfrom;
> envelope-from="postfix-us...@dukhovni.org"; client-ip="2604:8d00:0:1::4"
In this case, since you got the email not from, but from the Postfix
users list, the "envelope-from" is not my address. Rather it is:
owner-postfix-us...@postfix.org
> The idea behind this, is that the MUA, should be able to mark the email as
> guranteed genuine and safe to the end user, if a mail is:
> (SPF signed OR S/MIME Signed OR DKIM Signed), but if ANY is forged, then the
> whole mail is marked as forged.
Except that SPF does not "sign" email it just checks a list of
authorized relays. This check fails when email is forwarded, and
forwarding of mail is not forgery. When using SPF and DKIM, the
recommended practice is to accept email as genuine if either DKIM
or SPF pass, even if the other fails.
> Thus, if a validly signed email, regardless of method (SPF, S/MIME or DKIM)
> comes from my bank, I know that I can safely visit any links and enter any
> personal data.
Even better, never click on links in email and enter personal data.
Don't get lulled into a false sense of security.
Large corporations outsource email communications to all sorts of
third parties, and list them in their SPF and DKIM records.
--
Viktor.
