Really early, and on a busy week. I probably shouldn't be posting
to public forums at all right now.
:^P
David Woodhouse wrote:
You don't seem to be paying attention. You're top-posting again, for a
start. It is early where you are, I suppose -- you probably didn't even
notice that the list broke the GPG signature, did you? I thought that
was a nice touch, but subtlety can be lost if you try it before the
recipient has had sufficient coffee in the morning :)
Not that most people really care about top posting that much, given
the content I should have deleted the quotes.
The list has _always_ broken attachment style GPG sigs, but not inline
ones, see my older posts before my last Mozilla upgrade broke GPG
again for some verifiable ones.
OK caffienated avenger to the rescue!
SPF doesn't validate users, so SPF validation doesn't know or care
if the user is forged. The macro expansion combined with strict
mailer policies _does_ give some control there, but the recipient
has no way to tell if the server in question implements such
policies at all or effectively.
More simply put: validating the user in the first 2 examples
is beyond the scope of SPF.
The shared hosting scenarios do illustrate a difficult example
of this as the hosting provider needs to have good controls
in place or customer cross-forging at the domain level becomes
possible. It is not possible for the recipient to evaluate the
policies of the provider directly, so it is necessary for the
domain owner to do so and set their SPF record accordingly.
More simply put: if the domain owner trusts their provider
enough to publish + instead of ?, who am I to gainsay them?
If I get spam with their domain validated, it is their
reputation that will suffer.
--
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com http://www.vocalabs.com/
(952)941-6580x203