On Thu, 2004-12-09 at 15:55 -0800, Douglas Otis wrote:
Those wishing to spoof a domain could add a label that already has a
record such as-
MAILFROM:<user(_at_)name_of_inbound_smtp_server(_dot_)an(_dot_)example>.
Or even MAIL FROM:<SRS0=xx=yy=an(_dot_)example=user(_at_)elsewhere(_dot_)org>
SPF is by its very nature a hop-by-hop mechanism; it cannot give a true
end-to-end indication of forgery.
The problem is that we need to know with high accuracy which mails are
_spoofed_. SPF can only tell us for sure which mails are _not_ spoofed.
We want a blacklist; we have a whitelist. To go from one to the other is
not a simple negation.
--
dwmw2