-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Daniel
Taylor
Sent: Thursday, July 22, 2004 10:49 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SPF and Responsibility
terry(_at_)ashtonwoodshomes(_dot_)com wrote:
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
Daniel Taylor
Sent: Thursday, July 22, 2004 9:53 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SPF and Responsibility
Michel Bouissou wrote:
Le jeudi 22 Juillet 2004 14:46, Daniel Taylor a écrit :
Any given web page you receive from my server is expected
to be from me.
If I say that a mail server is "authorized" (SPF PASS) to
send e-mail
for me and you receive e-mail claiming to be from me from
that server
it is implied (quite strongly) that it is a message from me
in the same
way.
Comparing web/http and email/smtp makes no sense whatsoever.
Why not?
Comparing SMTP to HTTP does not make sense because:
In http, the RECIPIENT makes the request for information,
and the RECIPIENT gets to choose (via the
browser, his trusted DNS server, etc) the correct source of
the information.
In SMTP, the RECIPIENT does NOT request the information,
nor gets to choose where it comes from.
Just a hypothetical here:
Suppose you could only send SMTP traffic from a valid MX matching
the MAIL FROM and From: headers in the e-mail.
Would that not make SMTP authentication equivalent to http source
authentication?
Not even close. The SPF source domain authentication is at the source domain
name level, not at the
source domain name and source username level. Assuming no compromised servers:
With http you know
who you are, and you know for certain who the info is coming from. With SMTP
and SPF you may know
with reasonable probability where its coming from but not *who*.
Course this HTTP to SMTP comparison/analogy is not really good to begin with,
it really is like
comparing apples to oranges:
-the data is flow the other direction (requested, vs not requested)
-HTTP talks to the senders DOMAIN, SMTP receives from a user at the senders
domain
Terry
The fact is that for _most_ organizations it is a perfectly reasonable
setup as well. The existence of exceptions is the only reason we need
something like SPF.
--
Daniel Taylor VP Operations Vocal
Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com http://www.vocalabs.com/
(952)941-6580x203
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily
deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com