Wiki

User Tools

Site Tools

Trace: hot_drinks_are_spilled_on_you print_host_interfaces_and_routes setup_a_minimal_docker_client claim_back_air_passenger_duty disabling_dangerous_php_functions senderid_introduction
bind_-_senderid:senderid_introduction

This is an old revision of the document!

Bind - SenderID - SenderID Introduction

Sender ID is similar to Sender Policy Framework (SPF), but with one main difference; Sender ID verifies sender identity based on the Purported Responsible Address (PRA) using the From: or Sender: header fields.

SenderID tries to improve on a principal deficiency in SPF: that SPF does not verify the header addresses that indicates the sending party. SPF verifies only the “MAIL FROM” address (also called the envelope sender).

Sender ID was developed by Microsoft to protect against spoofing the RFC5322.From address, the one that the user sees in their email client. However, SenderID does not have the same level of widespread industry deployment that SPF or DKIM do.

SenderID was primarily used in Hotmail and on-premise Exchange servers deployed locally within organizations.

Sender ID is almost identical to SPF except that v=spf1 is replaced with one of:

  • spf2.0/mfrom - meaning to verify the envelope sender address just like SPF.
  • spf2.0/mfrom,pra or spf2.0/pra,mfrom - meaning to verify both the envelope sender and the PRA.
  • spf2.0/pra - meaning to verify only the PRA.

Examples

v=spf2.0/pra include:1.2.3.0/24 –all

OR

For news.example.com, 

v=spf2.0/pra include:advertize.com –all
  • spf2.0/pra means that this is a SenderID record.
  • pra means to apply this to the domain in the Purported Responsible Address, which is either the domain in the Sender: (rarely) or RFC5322.From (usually).“

It does mean that you must create and delegate a subdomain for 3rd parties to send on behalf of you and publish their SPF records in that subdomain's SenderID record. If you ever change 3rd parties, you must update this SenderID record. And if this 3rd party ever starts sending spam using your subdomain, it will pass a SenderID check (it can also pass an SPF check).

However, even if it does go rogue, it can only pass a SenderID check for this delegated subdomain. In this example, it can only SenderID pass news.example.com. It will not pass example.com, confirmations.example.com, and so forth. The damage is contained (and can be revoked by unpublishing the IPs from the SenderID record).

bind_-_senderid/senderid_introduction.1480420576.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki