I believe the confusion in this thread arises from Ned Harvey's
assumption that SPF is executed at MDA time, rather than at MTA time.
Wrong. I am assuming that sender verification will be done by the mta.
I'm telling you, there are exactly two ways to verify email when it's
received at the receiver's mta. And spf doesn't use either of them.
1- Verification can be done based on the IP address of the last relay. This
is the approach of Certificate Authority based verification. "This message
was delivered by such-n-such IP address, and I know that IP address will
only relay email that's verified. Therefore I can assume this is
authentic."
2- Something is encoded inside the message, and the only person who could
have put it there is the true sender. There are several proposals that fit
this description. eMVP is one (emvp.org). xmpp dialback, and yahoo public
key, and some others for example.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡