Ian Eiloart <iane(_at_)sussex(_dot_)ac(_dot_)uk> wrote:
The point of SPF is to authenticate the sending domain.
I don't believe SPF does any such thing. Domains can publish SPF RRs,
but those can't reasonably be said to "authenticate" anything, least of
all the "sending domain."
If the IP address is authorised (by the domain owner) to send mail from
the sender domain,
That's closer... But I'd argue that no SPF construct "authorizes"
sending email. In practice, I think it's quite clear that SPF constructs
merely express probabilities.
then bouncing mail into that domain isn't going to be causing backscatter,
unless the domain lacks internal controls over message submission.
Of course, rather few domains other than corporate domains with
administrators more-than-average familiar with SMTP have reasonable
"internal controls over message submission". :^(
If it does lack those internal controls, then the users of the domain
can blame the domain owner.
Indeed they can... does that actually accomplish anything?
I guess there can also be issues where two distinct domains share the
same outbound IP addresses, through an email service provider.
Indeed, that is common...
In that case, the email service provider is the responsible party that
needs to be held to account.
(which, BTW, is what CSV set out to do...)
They need to ensure either (a) separation of domains by outbound IP
address combined with accurate SPF records,
Assuming they control either multiple IP addresses _or_ the SPF
records is risky. But even if they did, how would this lead to assigning
the responsibility correctly?
or (b) proper implementation of MSA on all the domains that they
provide service for.
That is at least practial... But how does it lead to assigning the
John Leslie <john(_at_)jlc(_dot_)net>
Asrg mailing list