-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Mark
Shewmaker
Sent: Thursday, June 24, 2004 4:48 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Possible New Mechanism Prefix
Putting aside arguments over what's being authenticated, return-path or
PRA, part of the whole point of spf is to allow receivers to presume
that "SPF Pass==not a forgery".
Except that isn't the way the design works.
The current design says, SPF Pass = permitted sender. That is, this message
came from an MTA that I have designated to send e-mail for my domain.
The degree to which I have control over that MTA represents my certainty
that the message isn't forged. I use 2 MTAs primarily. One is provided by
my ISP and one by my domain host. It is a perfectly legitimate use of my
ISPs SMTP service to send mail through their server that purports to be from
my domain. This is the way I would imagine most people/small businesses
that have their own domains operate. The problem is that my ISP has a LOT
of customers.
SPF Pass==not a forgery is only true for organizations running their own
MTA.
If you are saying that SPF is only for people that run their own MTA, then
its adoption is going to be very limited.
Your response to my message exemplifies exactly why I am worried.
Scott Kitterman