On Jan 28, 2009, at 7:55 PM, Bill Cole wrote:
Which is where SPF has entrenched itself. It is the easiest
standardized mechanism for affirmative authentication of senders.
It's not a general tool for identifying all forgeries, but it is
useful and it is in widespread use. Ranting against its use is a few
years late and not constructive, particularly when the critique is
aimed at flaws that are avoided by the narrow uses that are actually
common.
Bill,
There is now the Authentication-Results header that offers dangerous
ways to reveal SPF results. The draft defining the use of this header
suggests, in so many words, that local-parts are not to be included
unless local-part macros are employed.
Please be careful about misrepresenting what is achieved when an SMTP
client has been SPF authorized by a domain. Don't describe the
authorization as having "authenticated" the source domain. It is
worrisome to contemplate the number of people who will be mislead and
harmed by the many ways that this erroneous conclusion can be
exploited by those with access outbound servers. Earning the status
of Authentication should not be based upon a number of doubtful
assumptions.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg