The sender signs a hash of the envelope sender (plus time stamp) by using a
private RSA key and in the SPF record publishs the pulic key needed to check
Currently, SPF only requires one DNS record to work from the sender, i.e. it
does not require software upgrades or software replacements. This makes it
possible to make a lot of domains provide SPF protection, which again makes it
useful to implement SPF filtering.
Anything that requires signing of e-mails requires new software. This makes it
much less likely to get widespread adoption, and therefore also less
interesting to get filtering for it. Therefore, any add-on to the spf spec that
uses signing, must be optional, or it will kill SPF. And if it is optional, we
still have the forwarding problem to address.
There are enough technologies out there that prevent spam but require the
sender to implement specific software. For some reason, none of it has become
really widespread.
Lars.