| However, consider that supporting "-all" for SPF (in order to give SPF
similar anti-forgery power)
| for all domains is also going to require upgrades to all MUAs in order
to integrate with many different
| flavors of SMTP authentication at many different servers.
Dude. This statement is completely wrong and I hate to see anyone
betting the farm on a business idea which is factually incorrect on it's
original premise!
Please read the next sentence carefully:
"SPF HAS NOTHING WHATSOEVER TO DO WITH ANY MUA'S ANYWHERE AT ANYTIME...
IT IS A SERVER SIDE TOOL... PERIOD!"
Sorry but you are wrong.
Let me explain this a little more clearly:
1. SPF sets a DNS record which tells us which IP addresses in Received: header
to trust.
2. That DNS record can optionally contain "-all", which if present means that
all unforged email sent from the domain has to go through one of those approved
IP addresses. If not present, then it means unforged email could be sent from
other IP addresses.
3. Thus if a receiver (be it the MTA or MUA) is verifying whether an email is a
forgery, if the "-all" is not present in the SPF DNS record, then the question
can not be answered with 100% certainty.
4. Thus "-all" is required to be able identify forgery from a domain with 100%
certainty with SPF.
5. But for "-all" to be enabled for a domain, the senders from that domain have
to be able to send their email over the approved IP addresses. If "-all" is
present and sender does not send over approved IP, the senders' email will be
marked as forgery by verifier.
6. In order for a sender to send over the approved IP addresses, if the sender
is not already verified by his access to a local network, then the only other
way that sender can send over the approved IP mail server is to use
authenticated SMTP. If not using authenticated SMTP, then the mail server
would be an open relay.
7. So since I have established that SMTP authentication is a requirement for
"-all" is many cases, and since "-all" is a requirement for detecting forgery
with 100% certainty using SPF, then all I need to factually state is that SMTP
authentication requires MUAs to be configured differently (and for many users
of older versions of MUA must upgrade first) than non-authenticated SMTP.
8. But the bigger problem for "-all" in SPF, is how will an ISP ever know that
all of it's users are sending all their email over the approved IPs? It is
simply impossible for an ISP to ever know that. An ISPs user can access the
internet with a different ISP, and then set their From: address to the first
ISPs domain. I do that all the time when I travel.
If you think a while, you will be able to wrap your head around it.
Thanks,
Shelby