Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> writes:
You can not prevail on an assumed record scope. Both Sender-ID and SPF
attempt to transform "server authorization" into "sender
authentication." If I were to authorize an email provider, would that
mean any message using my email domain from that provider be from me?
I cannot comment on Sender-ID, but as I understand it (as the one who
publishes SPF records for the domain) SPF does not attempt to do this. An SPF
pass does *NOT* indicate that the mail is genuinely from the domain (though in
the cases of the domains I control it probably does as I also control the mail
servers), but an SPF fail indicates that the mail is definitely NOT genuinely
from the domain. So an SPF pass should not be counted as sender
authentication, even domain keys does not do this (it only authenticates the
domain and that the mail has not been 'tampered with')- if you want to
authenticate the sender you will have to use an MUA cryptographic system like
S/MIME or PGP/MIME etc.