Dean Anderson <dean(_at_)av8(_dot_)com> writes:
Even if you trust no other ISPs, all users at that ISP can still be able
to forge mail from other users at that ISP. That doesn't really solve any
problem either.
Oh, wait. There's one more thing: They might want to allow the customer to
connect directly from the IP addressed assigned to them by the other ISP.
So, not only do they need to allow every ISP's mail servers, they need to
allow every IP address. So any IP address forge email from any ISP. Thats
actually how it is now at many ISPs. Now we've got nothing but useless
DNS requests. So, what good is SPF?
SPF is still good for those (many) of us who do not use a
'user(_at_)isp(_dot_)com' or 'user(_at_)customer(_dot_)isp(_dot_)com' style
address and even more
so for those of us who also run our own mail servers. It enables us to
state 'if the email was not sent from one of these addresses, then it
is a forgery and not from us'. I agree that it (and many of the other
schemes being examined by MARID) does not offer quite so much
protection for people who use 'user(_at_)isp(_dot_)com' style addresses or those
who have to send mail via their ISP's servers. But if people are
concerned about forgery then they can register their own domain and
publish appropriately narrow SPF records.