In
<Pine(_dot_)LNX(_dot_)4(_dot_)53(_dot_)0403301536270(_dot_)2504(_at_)astray(_dot_)com>
Shevek <spf(_at_)anarres(_dot_)org> writes:
On Tue, 30 Mar 2004, wayne wrote:
[...] both C-ID and Yahoo's domainkeys try to solve a slightly
different problem than SPF. SPF tries to protect the RFC2821
envelope-from, while C-ID and DK try to protect the RFC2822 From:
header. As such, these are complementary technologies, rather than
competitive.
I note that neither of these technical objectives is the direct aim of
either protocol. Noone sat down and said "We need to protect the 2821
envelope". They sat down and said, "Oh bollocks. That's another 15,000
spams."
Actually, in the case of SPF, I think that several of us did say "We
need to protect the envelope-from". In particular, spoofed
envelope-froms are the cause of misdirected bounces, and the inability
to trust the envelope-from makes it dangerous to accept the email and
then later generate a bounce. The envelope-from can also be checked
very early on, and therefore makes it a good target to attack first.
SPF used to even have a "scope=" modifier to say whether to check the
envelope-from or the From: header (or both). However, after
considering all the difficulties of reliably detecting problems with
the From: header, the modifier was dropped.
A lot has been kicked around since the beginning, but this was
discussed.
-wayne