----- Original Message -----
From: "Jonathan Gardner" <jonagard(_at_)amazon(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, July 14, 2004 12:01 PM
Subject: *****SPAM***** Re: [spf-discuss] SPF is not usable as legal measure
against spammers.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 14 July 2004 08:09 am, Nico Kadel-Garcia wrote:
(3) SPF an Authentication Mechanism
Your Point:
SPF is not an authentication mechanism.
My Point:
If it isn't an authentication mechanism, then what is it?
It's a lightweight outgoing SMTP policy mechanism in the hands of the
domain owners, relying on existing and robust infrastructure for its
mechanisms.
It's still possible to lie about exactly who you are, which is why it's
not a full-blown authentication mechanism. Don't try to deal with it as
such.
How is it possible to lie? Only the domain owners are allowed to publish
DNS
records for their domain. The domain owners assert via SPF that mail going
through specific servers is their mail. I must be missing the part where
someone else can publish SPF records for you, and claim mail servers you
don't trust are allowed to send email for you. I don't see how that is
possible.
You lie about your hostname, your IP address, your reverse PTR records, or
take advantage of a less restrictive domain allowed to post as the domain in
question. Or you interfere with the published DNS of the site in question,
since DNS is not overall designed for robust authentication if other
people's zone informatino.