Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
If SPF were used just to reject messages from unauthorized servers,
which is rarely the case due to path registration problems, indeed
there would be far less risk involved when publishing SPF records.
So... why do "path registration" at all? I'm still confused as to
why it's OK for people I've never heard of to send messages using my
mailbox address.
When I send messages, my outgoing MTA looks up the MX record for the
domain of the destination mailbox, and sends the message to the
specified MTA. Where's the path?
If we had provable senders, and signed messages, then the path
problem would disappear. If the transport layer, and application
message layer are both signed and accountable, then any MTA should be
able to transfer messages for any other MTA, and path problems become
moot.
There is nothing provided by SPF that indicates whether 1 or 1000
domains use an MTA or whether any mailbox-domain was initially checked
for that matter.
Is that a problem? Publishing SPF records indicates that the domain
owner accepts accountabilty for the behavior of the MTA. Who cares if
the MTA has another 10^6 domains, or is run by a
<insert-prejudice-here>, or by a convict, or is in Iraq? The domain
owner states the MTA is accountable, so therefore it is.
This objection to SPF looks a lot like an objection to *permitting*
the domain owner to make such statements.
Alan DeKok.