1. SPF sets a DNS record which tells us which IP addresses in
Received: header to trust.
Wrong.
At SMTP dialogue level, SPF checks whether a relay is authorized to
send mail on behalf of a domain name found in either the envelope-from or
helo string.
Not wrong.
The IP address of first Recieved: header is the same as the IPaddress of the
last relay.
Same thing.
That is the power of SPF: since the IP address is checked at
connection time, it cannot be forged (hence, requires no signed headers).
Read above.
Whether an MUA can trust a Received: header is an entirely different matter.
Only if can trust the last MTA chain leading to it's mailbox and the
transmission from the mailbox, then it can trust the 1st Received header, which
is usually true.
So, lemme see if I got this straight. Your objection to SPF is that it would
be too cumbersome to 'upgrade' existing MUA's to use a long-since proven and
approved technology such as SMTP AUTH, right?
No. You should read the entire thread before posting more.
And then you pitch your idea
which would require MUA's all over the world to be upgraded/patched with
your wee scheme?? Surely, you must, at some point, be aware of the irony of
this! LOL :)
You obviously did not read the entire thread. We covered this exact debate
already and I made a very convincing argument.
Good luck!
Shelby