On Tue, Sep 21, 2004 at 04:09:12PM -0400, Stuart D. Gathman wrote:
I really disagree. When you check my SPF record, really the only thing you
can determine, is whether the relay is authorized to send mail on behalf of
my domain name. You cannot, as receiver, authenticate the
"RFC2821.MailFrom"
address with that information. For one, because SPF checks are done against
the RHS of the domain, not the LHS (local part) of the address.
The SPF checks are done against both LHS and RHS of the address. It is up
to the sender whether the LHS is actually used (via the exist mechanism, for
instance).
Agreed. But even in that example, all you know is that a certain relay is,
or is not, allowed to send mail on behalf of $user(_at_)$domain(_dot_) You
cannot know
if the message was really sent by $user(_at_)$domain, the only think you know is
that $domain _authorizes_ $relay to do so.
Authentication is performed on another level.
Authentication: is this really $relay? Is this message really coming from ... ?
Authorization: is $relay allowed to ... ?
All SPF does is to tell the receiver that what the sender thinks of a
certain relay and mail_from combination. Implicitly the sender is saying:
I trust this relay (or not, depending on the outcome of an SPF lookup).
Trusting the senders trust is, IMHO, not the same as authentication.
If you setup an SPF record including my ip-address, I can spoof mail from.
My server would be authorized, the sender (me!) would not be authenticated.
cheers,
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.