
On Fri, 2005-02-04 at 09:53 -0500, Todd Vierling wrote:
On Thu, 3 Feb 2005, Edward B. Dreger wrote:
JJ> auth is sufficient to make email traceable to your own customers.
End users also would appreciate the ability to _know_ a message is not forged.
The only way to be sure is via cryptographic signature. Barring that level of immediate traceability, SPF provides a very useful data point to that end (as its *only* purpose is curbing forgery).
Attempting to detect spam trickled through thousands of compromised systems sent through the ISP's mail servers, SPF does nothing, and could actually damage the reputation of those domains that authorize the provider for their mailbox domain using SPF. These records can be read by the spammers and then exploited. Repairing this reputation could be next to impossible. With respect to forgery, authorization is not authentication. There is no consensus which mailbox-domain is checked, SPF (MAILFROM or HELO), Classic (MAILFROM or Other and HELO), or Sender-ID (PRA), so it is uncertain which mailbox-domain may have been checked for authorization, if any. False assurances could be worse than no assurances. White-listing for forwarded accounts or mailing lists to allow an SPF rule-set bypass means there is no certainty a check was ever made. -Doug