![](https://secure.gravatar.com/avatar/8f2a7f01fc91036363524f04b59f81d6.jpg?s=120&d=mm&r=g)
On 3/29/10 12:06 PM, Tarig Yassin wrote:
Hi Jul
Dkim, SPF, and Domainkey are sender authentication methods for email system. Which use Public Key Cryptography.
DKIM and Domainkeys use public key cryptography to authenticate signature sources used for signing at least email From headers and signature headers. However, SPF uses chained IP address lists to establish source authorization, but not authentication. Since outbound MTAs might handle multiple domains, it would be incorrect to assume authorization implies authentication and to expect email domains have been previously verified by the source. For example, Sender-ID might use the same SPF record, but this expects Purported Responsible Addresses (PRA) rather than Mail Froms have been verified. On the other hand, SPF was designed to ignore the PRA, and neither section 2.2 or 2.4 of RFC4408 imposes prior verification demands on Mail From or HELO, which would conflict with normal forwarding. :^( Both DKIM and Domainkey share the same domain label of "<domain-holding-key>._domainkey.<admin-domain>", whereas the first SPF record in a chain would be accessed without any prefix label. While bad actors could use either scheme to obscure encoded DNS tunnel traffic, ascertaining abnormal use would be especially difficult whenever the first SPF records in a chain includes local-part encoding for subsequent SPF record prefixes. :^( -Doug