index.html
10.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Email Forgery Prevention Using SPF - W3C</title><link rel="stylesheet" href="/2008/site/css/minimum" type="text/css" media="handheld, all" /><style type="text/css" media="print, screen and (min-width: 481px)" xml:space="preserve">
@import url("/2008/site/css/advanced");
</style><link href="/2008/site/css/minimum" rel="stylesheet" type="text/css" media="handheld, only screen and (max-device-width: 480px)" /><meta name="viewport" content="width=device-width" /><link rel="stylesheet" href="/2008/site/css/print" type="text/css" media="print" /><link rel="shortcut icon" href="/2008/site/images/favicon.ico" type="image/x-icon" /></head><body id="www-w3-org" class="w3c_public"><div id="w3c_container">
<div id="w3c_mast">
<h1 class="logo">
<a tabindex="2" accesskey="1" href="/"><img src="/2008/site/images/logo-w3c-mobile-lg" width="90" height="53" alt="W3C" /></a>
<span class="alt-logo">W3C</span>
</h1>
<div id="w3c_nav">
<form action="/Help/search" method="get" enctype="application/x-www-form-urlencoded"><div class="w3c_sec_nav"><!-- --></div><ul class="main_nav"><li class="first-item">
<a href="/standards/">Standards</a>
</li><li>
<a href="/participate/">Participate</a>
</li><li>
<a href="/Consortium/membership">Membership</a>
</li><li class="last-item">
<a href="/Consortium/">About W3C</a>
</li><li class="search-item">
<div id="search-form">
<input tabindex="3" class="text" name="q" value="" title="Search" type="text" />
<button id="search-submit" name="search-submit" type="submit"><img class="submit" src="/2008/site/images/search-button" alt="Search" width="21" height="17" /></button>
</div>
</li></ul></form>
</div>
</div>
<div id="w3c_main">
<div id="w3c_logo_shadow" class="w3c_leftCol">
<img height="32" alt="" src="/2008/site/images/logo-shadow" />
</div>
<div class="w3c_leftCol"><h2 class="offscreen">Site Navigation</h2>
<h3 class="category"><span class="ribbon"><a href="/Mail/" title="Up to Mailing Lists">Mailing Lists <img src="/2008/site/images/header-link" alt="Header link" width="13" height="13" class="header-link" /></a></span></h3>
<ul class="theme">
<li><a href="/Mail/FAQ.html">FAQ</a></li>
<li><a href="/Mail/subject-tagging.html">On Subject Tagging</a></li>
<li><a href="/Mail/ArchiveEditingPolicy.html">Archive Editing Policy</a></li>
<li><a href="/Mail/Request.html">Managing Mailing List Subscriptions</a></li>
<li><a href="/2002/03/email_attachment_formats.html">Guidelines for Attachments</a></li>
<li><a class="current">Email Forgery Prevention Using SPF</a></li>
</ul>
<br /></div>
<div class="w3c_mainCol">
<div id="w3c_crumbs">
<div id="w3c_crumbs_frame">
<ul class="bct"> <!-- .bct / Breadcrumbs -->
<li class="skip"><a tabindex="1" accesskey="2" title="Skip to content (e.g., when browsing via audio)" href="#w3c_content_body">Skip</a></li>
<li><a href="/">W3C</a> <span class="cr">»</span> </li>
<li><a href="/participate/">Participate</a> <span class="cr">»</span> </li>
<li><a href="/participate/discussion.html">Mail, News, Blogs, Podcasts, and…</a> <span class="cr">»</span> </li>
<li><a href="/Mail/">Mailing Lists</a> <span class="cr">»</span> </li>
<li class="current">Email Forgery Prevention Using SPF</li>
</ul>
</div>
</div>
<h1 class="title">Email Forgery Prevention Using SPF</h1>
<ul class="w3c_toc"><li class="toc_prefix">On this page → </li><li><a href="#howto">how to avoid forgeries from your site</a><span class="bullet"> • </span></li><li><a href="#w3c-records">W3C's SPF Records</a></li></ul>
<div id="w3c_content_body">
<div class="line">
<p class="intro tPadding">
W3C has deployed <a href="http://www.openspf.org/">SPF (Sender Policy
Framework)</a> to prevent email forgeries. Our mail hubs reject forged
mail according to SPF records published by domain owners, and we have
published SPF records indicating which servers are authorized to send
email claiming to be from w3.org. See below for more information about:
</p>
<h2 id="howto">How to Avoid Forgeries from Your Site</h2>
<p>
If you are concerned about email forged to appear from your site, you can
<a href="http://www.openspf.org/whatdoes.html">publish an SPF record</a>
(or ask your system administrators or ISP to publish one on your behalf)
and our email servers will automatically start to reject forgeries that
claim to be from your site.
</p>
<p>
<em>This endorsement is not without some reservations. While
Jonathan de Boyne Pollard's <a href="http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-spf-is-harmful.html">essay on problems with SPF</a> overstates the case in some places,
the point about <a href="http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-spf-is-harmful.html#HijackTXTResourceRecordType">squatting
on TXT records</a> is a concern we share.</em>
</p>
<h2 id="w3c-records">W3C's SPF records</h2>
<dl><dt>
<a href="http://www.openspf.org/wizard.html?mydomain=w3.org">The SPF
record for w3.org</a>
</dt><dd>
<p>provides a list of servers that are authorized to send mail on behalf
of w3.org.</p>
<p>
This record ends in <code>~all</code>, which means "<a href="http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#anchor10">softfail</a>".
Due to issues with SPF and mail forwarding, we intend to leave our SPF
record in this state for the forseeable future, so our record is useful
mainly for whitelisting. (mail with an 'SPF pass' status from w3.org is
most likely legitimate, but other mail can be subject to more scrutiny,
e.g. using heuristic-based filters.)
</p>
</dd><dt>
The SPF records for <a href="http://www.openspf.org/wizard.html?mydomain=w3c.org">w3c.org</a> and <a href="http://www.openspf.org/wizard.html?mydomain=www.org">www.org</a>
</dt><dd>
<p>
indicate that those domains are never valid senders of email, so any
mail claiming to originate there should be rejected. </p>
</dd></dl>
</div>
</div>
</div>
</div>
</div><div id="w3c_footer">
<div id="w3c_footer-inner">
<h2 class="offscreen">Footer Navigation</h2>
<div class="w3c_footer-nav">
<h3>Navigation</h3>
<ul class="footer_top_nav"><li>
<a href="/">Home</a>
</li><li>
<a href="/standards/">Standards</a>
</li><li>
<a href="/participate/">Participate</a>
</li><li>
<a href="/Consortium/membership">Membership</a>
</li><li class="last-item">
<a href="/Consortium/">About W3C</a>
</li></ul>
</div>
<div class="w3c_footer-nav">
<h3>Contact W3C</h3>
<ul class="footer_bottom_nav"><li>
<a href="/Consortium/contact">Contact</a>
</li><li>
<a accesskey="0" href="/Help/">Help and FAQ</a>
</li><li>
<a href="/Consortium/sponsor/">Sponsor / Donate</a>
</li><li>
<a href="/Consortium/siteindex">Site Map</a>
</li><li>
<address id="w3c_signature">
<a href="mailto:site-comments@w3.org">Feedback</a> (<a href="http://lists.w3.org/Archives/Public/site-comments/">archive</a>)</address>
</li></ul>
</div>
<div class="w3c_footer-nav">
<h3>W3C Updates</h3>
<ul class="footer_follow_nav"><li>
<a href="http://twitter.com/W3C" title="Follow W3C on Twitter">
<img src="/2008/site/images/twitter-bird" alt="Twitter" width="78" height="83" class="social-icon" />
</a>
<a href="http://identi.ca/w3c" title="See W3C on Identica">
<img src="/2008/site/images/identica-logo" alt="Identica" width="91" height="83" class="social-icon" />
</a>
</li></ul>
</div>
<p class="copyright">Copyright © 2012 W3C <sup>®</sup> (<a href="http://www.csail.mit.edu/">
<acronym title="Massachusetts Institute of Technology">MIT</acronym>
</a>, <a href="http://www.ercim.org/">
<acronym title="European Research Consortium for Informatics and Mathematics"> ERCIM</acronym>
</a>, <a href="http://www.keio.ac.jp/">Keio</a>) <a href="/Consortium/Legal/ipr-notice">Usage policies apply</a>.</p>
</div>
</div><!-- Generated from data/scripts.php, ../../smarty/{scripts.tpl} --><!-- At the bottom for performance reasons --><div id="w3c_scripts">
<script type="text/javascript" src="/2008/site/js/main" xml:space="preserve"><!-- --></script>
</div></body></html>