On Fri, 2004-09-10 at 09:04 -0500, Sauer, Damon wrote:
1) When SPF is deployed and used the line between forgeries and
legitimate will be much sharper.
2) In the corporate world, I am actually going to be able to deploy SPF
based on the argument that my MAIL FROM: will not be able to be forged.
3) Which in turn makes all MY email legitimate. This means if anyone
sends with my domain from a source outside of my defined range, you can
identify as a forgery.
The point is that you _cannot_ reliably identify it as a forgery unless
you're willing to redefine your meaning of 'forgery' for the purpose; in
particular you'd have to redefine your meaning of 'forgery' to include a
lot of mail which a lot of people consider perfectly valid and normal.
Consider the case where you send mail a user at one of my virtual
domains, and my mail hosts forward it on to the final recipient. Some
definitions of 'forgery' may include the mail which my mail host sends
on... but my definition does not.
We know how slow the world is to upgrade even when the upgrade is useful
and well-designed, like ESMTP and TLS. For things like SRS or the
Resent-* header abuse, I'd predict that the take-up will be a _lot_
slower. If it were just an addition to a Received: header perhaps it
would be quicker to catch on though. That could be enabled by default in
MTAs.
--
dwmw2