[note: Let's please move SRS discussions to the SRS-discuss mailing list]
In <20040220104310(_dot_)GD6655(_at_)uk(_dot_)tiscali(_dot_)com> Brian Candler
<B(_dot_)Candler(_at_)pobox(_dot_)com> writes:
The gain is *complete* protection from joe-jobbing, and unlike SPF, you get
it instantly. Worth having I'd say; more than SPF in fact.
SRS does not prevent joe-jobbing and/or email address forgery. People
can still send email claiming to be from you.
If you publish SPF records and if the email receivers implement SPF,
then email address forgery can be detected.
If you use SRS on all outgoing email, and if you only accept bounces that are
SRS-valid, and if the email receivers do sender callbacks, and if the
email receivers's callbacks use MAIL FROM:<> instead of MAIL
FROM:<postmaster(_at_)receiver(_dot_)domain>, then email address forgery can be
detected.
Both SPF and SRS require the email receivers to do something. Most
email recievers do not use sender callbacks, so both SPF and SRS
require email recievers to do something new.
Using SRS on all outgoing email and blocking bounces from non-SRS
headers does stop the bogus bounces caused by email forgery. It may
stop some of the bogus email worm warnings and vacation notices, but
most of those seem to not use null envelope-froms.
-wayne