Le mercredi 21 Juillet 2004 20:52, terry(_at_)ashtonwoodshomes(_dot_)com a
écrit :
If I am correct, then even an SPF pass does not prove the email to be
legitimate or from the owner of the domain.
You are correct, because an "SPF pass" is not meant to *prove* that an email
is "legitimate from the owner of the domain". It is only meant to prove that
this server is explictly authorized to send this domain's email -- and not
ONLY this domain's email, and not 100% non-forged email. These 2 last
assumptions would be your own interpretation.
Let's come back to the sources. When I started using SPF and published my
first record, I first read the documentation available from the SPF website
(obviously), the played a little with the "record creation wizard", then
created records by hand.
All the literature there states things like "List servers that normally send
mail from your domain".
It never, nowhere states neither that these servers should send *only* mail
from your domain, nor that you have full administrative control over them,
nor that a forged mail should never be able to pass thru them, nor that you
actually commit in taking liability for all email coming thru these servers
that claim to be "from you" or from another user of your domain.
These extensions about "responsibility", "liability" or "accountability" are
pure extrapolations in the mind of people thinking that SPF should mean more
than what it does actually mean.
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E