On Fri, 3 Sep 2004, Graham Murray wrote:
Rand Wacker <rand(_at_)sendmail(_dot_)com> writes:
As I said before, there is a large majority of mail that goes from large
commercial sites (or consumer ISPs) merely one hop to another large
commercial ISP, so the From: header will be successfully authenticated.
In the case of sending from a large ISP (and that includes commercial
sites who outsource email) that is not true. Unless the ISP does
additional checking then Sender-ID (and SPF) still allows a customer
of the ISP to forge the mail as coming from any other customer of that
ISP.
Sorry, I should have said "the domain of the From: header" Such is the
limitation of doing domain-based auth. The limitation of doing user-based
auth is a high barrier to deployment.
-Rand