This is where SPF and Sender-ID make a very serious mistake. This
assumes "server authorization" is equivalent to "sender authentication."
It would be like me making a declaration that the postal service is
authorized to deliver my letters, where recipients are then claiming any
letter received from the postal service bearing my name is authentically
or genuinely from me. Of course that would be a false assumption, yet
this draft describes the sender as "considered responsible for sending
the message." Review the many assumptions being made before arriving at
this conclusion. This false assumption is also why publishing SPF
records is unwise for the majority of domain owners.
If there were only one post office, not many millions, the analogy might
be more accurate.
It's not entirely firm authentication, but it's sure better than having
no information at all. . . But would you take less than fully secured
crypto, or is the perfect the enemy of the good in this case?
Ari