spf-discuss
[Top] [All Lists]

Re: Maybe simple question

2003-12-14 11:30:38
----- Original Message ----- 
From: "Edward Ned Harvey" <flyboy(_at_)nedharvey(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Sunday, December 14, 2003 6:12 AM
Subject: RE: [spf-discuss] Maybe simple question


Even if I publish an spf record saying that spf(_at_)nedharvey(_dot_)com sends
mail from smtp.rcn.com or smtp.aol.com or whatever, that's already
allowing 2 million people forge my address and be verified "authentic."
If we make it even broader, it's useless.

SPF does not authenticate email addresses, it authenticates relays; SPF does
not verify that "spf(_at_)nedharvey(_dot_)com is who he says he is," but that 
"relay X,
according to the published SPF records at nedharvey.com, is authenticated to
relay mail for envelope FROM addresses with nedharvey.com as domain name."
In doing so, SPF will literally prevent millions of forgeries, when large
parties, such as hotmail.com, jump aboard.

"sender authentication" is something entirely different; though the process
of adopting SPF could go a long way towards getting there, too. For
instance, once all users on an SPF compliant system are finally using SASL,
that MTA could then, in a simple ruleset, verify email addresses before they
leave the system, even. Adopting SPF expedites the use of SASL. So, ere
long, you will get two for the price of one. :)

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡