I think it is reasonably well agreed that SPF is not the end-all and
be-all of spam solutions. It plays a part, and I think an important
part. I think it might be useful to think about SPF as one of a
series of layers, rather than a gizmo that sticks on some blob.
So, here are my thoughts:
------ layer 1:
IP addresses are AUTHORIZED via a series of SWIPs starting at the
ICANN, and going through ISPs.
Domain owners are AUTHORIZED via the domain name system by way of
registrars, and delegated authority from the TLD name servers.
------ layer 2:
IP addresses are AUTHENTICATED via the sufficiently random TCP sequence
numbers used during the SMTP connection.
DNS records are AUTHENTICATED via the sufficiently random
transaction-ID and port numbers during DNS lookups.
The use of a given IP address/domain name pair can be AUTHORIZED via
SPF.
The email address can often be AUTHENTICATED via a call-back to the
MTA of the domain and using SMTP VRFY or MAIL FROM:<>/RCPT TO:.
------ layer 3:
The email address in the From: header can often be AUTHENTICATED by
checking the Received-SPF header and knowing exceptions that
individual mail users have with respect to the mailing lists they are
on and the forwarding services they use.
The comment part of the From: header can often be AUTHENTICATED by
seeing if the comment looks like an email address and if there is a
miss-match between the From: address and the comment.
An individual person/company can be AUTHENTICATED via gpg/smime, but
to the best of my knowledge, there is no AUTHORIZATION check that can
be done for the use of an email address by an individual. Options in
the SPF record might be able to help bridge this, but SPF would just
be a convenient place to advertise such a connection.
A reputation system can use the SPF information to EVALUATE the source
of the email, but SPF would be only one part of such an evaluation.
------ layer 4:
MUAs should highlight suspect looking From: information
The stuff done in layer 2 is probably best done in the MTA that
boarders an organization with the Internet.
The stuff in layer 3 could be done in the MTA after the SMTP DATA
command, but it could also easily be done later in a spam filter or
something. If the SPF checking is not done in the MTA, then it can be
*much* harder to get authenticated IP/DNS info for the SPF check to be
done. This makes things like the reputation system much less reliable.
I think that the role that SPF plays is to bridge the gap between
layer 2 and layer 3. I think that is a well defined role, and a
useful one. I don't think it is useful to mix layer 2 and layer 3
stuff together.
-wayne
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡