Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com> writes:
It is intended to allow you to measure the authority of a certain mail
client to use a certain domain. This doesn't fix spam, but it helps
to avoid someone impersonating example.com to avoid detection as
themselves.
As currently proposed, it helps solve the problem just like having a
butter knife helps when you're being assaulted. A butter knife may be
better than nothing, but try selling it. People just haven't realized
what is being sold yet. As many times as the SPF web site says exactly
what SPF does and doesn't do, it doesn't matter because everyone is
selling something different and because minimal efforts have been taken
to correct people.
As far as fixing phishing, there is nothing stopping people from
registering bigbank-customerservice.com to attack people who have
bigbank.com accounts.
You can phish pretty darn effectively without even registering a domain
that seems similar. Even with SPF or Caller-ID and even with kick-ass
authentication, accreditation, and reputation systems. All it takes is
patience.
This is the same problem with SSL and current browser practices for
https connections.
Not really. You still start your browsing session at www.bigbank.com.
Since email is a push medium, the problem is considerably different.
Daniel
--
Daniel Quinlan
http://www.pathname.com/~quinlan/