On Fri, 8 Jul 2005, David Woodhouse wrote:
What am I supposed to tell from an SPF 'pass' that I cannot tell from an SPF
'unknown' result? I know that I can't safely reject the mail; what
_more_ am I supposed to infer?
An SPF pass is useful for whitelisting. You can already blacklist
a domain without regard to forgery, but SPF helps there indirectly
by forcing spammers to use their own domains (even if they are
"throw away" domains).
For instance, my client wants to exempt mail from example.com from
content scanning. (Catalogs with products and prices tend
to look like spam.) But of course, we still don't want forged mail
claiming to be from example.com. With SPF, this is simple.
A useful automatic technique is to add all rfc2821 recipients for
outgoing mail to a list. If the MAIL FROM domain for incoming mail
is in the list and gets an SPF pass, then skip content checking.
The domain blacklist still applies, of course.
Is my bank manager supposed to act upon instructions which appear to be
from me and which have an SPF 'pass' result? Do I abandon my current use
of GPG for that purpose?
SPF only authenticates the MTA, promising that it truly belongs
to the claimed domain. (HELO can do that also in a less precise
and flexible fashion.) It does not authenticate the person
creating the email, for instance (although for a small business domain,
it may be good enough).
It is not the be all and end all of email security. It only solves
one specific problem. You still need GPG.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.