> All proposals are different in their details; the important thing is
> what they can _achieve_. Take CSV and SPF, for example. Of course the
> details vary, but in practice they do exactly the same thing. Consider:
> MAIL FROM:<SRS0=xx=yy=ox(_dot_)org=aland(_at_)forwarder(_dot_)org>
> From: aland(_at_)ox(_dot_)org
>
> Precisely because SPF validates only one hop, it's achieving no more
> than CSV is. The recipient can look up how much they should trust
> 'forwarder.org' but you can't really tell if the message _really_ came
> from you.
SPF uses per-message validation. It can be viewed as validating the latest-hop
sending MTA, but the validation is provided by the originating sender. Hence,
SPF requires route registration. In truth it is validating the originating
sender, where the latest-hop MTA is merely a way into that information.
SPF uses per-session validation. Its validation is based on the latest-hop
sender's administration, rather than stretching back to the origin.
These are not small differences. In fact their semantics, administration and
use are entirely different.
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
www.brandenburg.com