Jonathan Gardner wrote:
How is it possible to lie? Only the domain owners are allowed to publish DNS
records for their domain. The domain owners assert via SPF that mail going
through specific servers is their mail. I must be missing the part where
someone else can publish SPF records for you, and claim mail servers you
don't trust are allowed to send email for you. I don't see how that is
possible.
Suppose example.com is a customer of $bigisp, and for whatever reason, relays
their outgoing mail through $bigisp's mail servers. It's still possible for a
spammer to hijack the machine of any other customer of $bigisp and send mail
out with a sender address of anyone(_at_)example(_dot_)com, which will be OK
according to
example.com's SPF record. However, example.com is clearly not responsible for
that mail.
Paul.