spf-discuss
[Top] [All Lists]

Re: Maybe simple question

2003-12-13 12:30:53
So, like, the other day "Edward Ned Harvey" mumbled:

I'm telling you, there are exactly two ways to verify email when it's
received at the receiver's mta.  And spf doesn't use either of them.

1- Verification can be done based on the IP address of the last relay.  This
is the approach of Certificate Authority based verification.  "This message
was delivered by such-n-such IP address, and I know that IP address will
only relay email that's verified.  Therefore I can assume this is
authentic."

I believe SPF is attacking a slightly different problem based
on this scenario.  Everything is as you describe right up to
this point:

    and I know that IP address will only relay email that's verified

In the World As It Is, we do know the IP address that is doing
the delivery, but we can not rely on knowing that that address
will only relay email that is verified.  In fact, since any IP
address might be contacting us, it's relay-status is uncertain.
And if it happens to be an open realy, it might be delivering
mail posing as some other machine.  The question trying to be
answered here is:  Is it acceptable for that IP address to pose
as the stated host?  Does it actually have the authority to deliver
mail as it claims?

This isn't inteneded to be cryptographically secure; it is intended
to be simple, yet authoritative, verification.

jdl

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡