On Fri, 24 Oct 2008 18:44:01 -0700 Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
Describing these SPF/Sender-ID results as "authentication" will mean
domains publishing SPF records are now in jeopardy of dangerously
misleading recipients whenever a shared outbound server is employed
somewhere. The risk will become painfully apparent whenever a bad
actor's only "authentication" credential is having sent email through
one of the authorized SMTP clients. There are _many_ cases where
independent domains share a common outbound server. While path
registration may help reduce a range of spoofed DSNs, it is NEVER safe
to refer to this mechanism as an AUTHENTICATION method. This is not
the first time that this concern has been raised.
Note that DKIM doesn't tell you any more or less. The same mechanisms that
the outbound shared MTA admin can use to prevent this type of problem for
DKIM can be used to prevent it for SPF.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html