Signature schemes ask yet a different question. Whereas SPF asks "could
the message have come from this domain", signature schemes ask "did the
message come from this domain." That's a different and considerably
stronger assertion.
The way I prefer to see/phrase this is that SPF offers a _whitelist_. It
can say 'yes' or it can say 'maybe'. It can't reliably say 'no'.
It can't even say "yes", at best it can say "probably" since SPF doesn't
certify individual messages. If your sending host is entirely under your
control and sends only for your domain, an SPF "yes" means "yes", but if
your SPF points at your ISP and your ISP is large, messages might be from
you or might be from any of a million other users with a zombie or an odd
sense of humor. Path schemes like SPF haven't offered any way to
distinguish those two situations other than guessing from ~all or -all.
Since signatures are applied to individual messages, the outgoing mail
server can (and I hope will) make whatever checks it can to verify that
the internal sender is who he says he is.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.