Le mercredi 21 Juillet 2004 19:17, Jonathan Gardner a écrit :
Nowhere does it say that any SPF "pass" result means that the sending
domain accepts responsibility for email in a complete and legally-binding
way. In fact I would go as far as to wager that if it did say something
like that then the number of domains publishing SPF would shrink
significantly and the technology would never actually take off.
Here again, it supports my argument. If I permit email to be sent in my
name, I am claiming responsibility for it.
Nope.
"SPF pass" doesn't mean in any way "All the mail coming from that server and
claiming to be from me is actually from me".
"SPF pass" means "This server is a legitimate and usual sender of e-mail
coming from my domain". That's all. And that's already nice, as an "SPF fail"
will then mean "This e-mail comes from an unauthorized server and should be
discarded as it most probably forges its origin".
SPF is not (and I believe it wasn't meant to be, in the first place) a means
for assuring at 100% that a given message bears a true origin or a forged
one.
SPF is meant to help detect most forgeries easier in the vast majority of
cases.
Suppose "my-little-domain.com" relays its outgoing mail thru its IAP's server.
Then it will be logical for "my-little-domain.com" to configure their SPF
record as to state that their IAP's server is a legitimate sender of mail
from their domain.
But that in no way means that EVERY mail sent by others thru this IAP's server
actually comes from "my-little-domain.com". Some could be forgeries made by
customers of the same IAP.
OTOH, this SPF record will show very useful in eliminating all forgeries that
would come from any other server, and that will be the vast majority.
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E