--On Mittwoch, Juli 14, 2004 12:08:04 -0400 Chuck Mead <csm(_at_)moongroup(_dot_)com>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jonathan Gardner wrote:
| How is it possible to lie? Only the domain owners are allowed to
publish DNS
| records for their domain. The domain owners assert via SPF that mail
going
| through specific servers is their mail. I must be missing the part where
| someone else can publish SPF records for you, and claim mail servers you
| don't trust are allowed to send email for you. I don't see how that is
| possible.
You might think a bit about why relay based on MX is a bad config option.
That's a different story. MX RRs can be published for _any_ FQDN and point
to your systems. So it is obvious that these MX RRs are not under your
control and you should not use them for authentication purposes.
SPF records are published only in _your_ domain, which should be under your
control. This is safe for authentication purposes (assuming that you can
trust your registrar and/or DNS provider, but without that trust you would
have more urgent problems than MTA authentication).
Ralf Döblitz