"Jonathan Gardner" <jonagard(_at_)amazon(_dot_)com> wrote:
Discussion with Scott Kitterman and others has brought to my attention
some
misunderstandings. In particular, what does an SPF PASS result really
mean?
As far as I know, the "official" definition of pass is: This server is
authorized to send email for example.com.
SPF is all about authenticating servers, not messages. For example,
trudy(_at_)example(_dot_)com could send a forged email pretending to be
alice(_at_)example(_dot_)com using example.com MTA and it would get a SPF pass.
Without
cryptographic signatures, you can't really be sure that a message is
authentic. On the other hand, if it's SPF failed, you can be sure that it's
not respecting the domain owner's policy.
Hope it answers, at least partially, your question,
GFK's
--
Guillaume Filion, ing. jr
Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/
PGP Key and more: http://guillaume.filion.org/