mercredi 29 juillet 2015

Why does Amazon SES not require SPF modifications in their current implementation?

Amazon's current SES Documentation says:

If you are using Amazon SES to send from your domain, you need to know that the current SES implementation involves sending emails from an SES-owned MAIL-FROM domain. This means that you do not need to make any changes to your DNS records in order for your emails to pass SPF authentication.

Source: http://ift.tt/1w7KDny


OpenSPF describes SPF this way:

What is SPF?

SPF (defined in RFC 4408) validates the HELO domain and the MAIL FROM address given as part of the SMTP protocol (RFC 2821 – the "envelope" layer). The MAIL FROM address is usually displayed as "Return-Path" if you select the "Show all headers" option in your e-mail client. Domain owners publish records via DNS that describe their policy for which machines are authorized to use their domain in the HELO and MAIL FROM addresses, which are part of the SMTP protocol.

Source: http://ift.tt/1AXchGP


I don't understand how these two match up.

If my current SPF Record looks like:

v=spf1 mx a ~all

(And Amazon is not in my MX records.)

I would imagine that the receiver gets

HELO abc.smtp-out.amazonses.com
MAIL FROM: <user@mydomain.com>

then the receiver goes gets "mydomain.com" SPF TXT record and says, "Hey, abc.smtp-out.amazonses.com is not listed, therefore SPF=FAIL."

What am I misunderstanding?


P.S. It appears the SES used to have you add "include:amazonses.com" to your SPF record, which makes perfect sense to me. Source: How to know if the SPF config is working (Amazon SES/Route53)?




Aucun commentaire:

Enregistrer un commentaire