spf-discuss
[Top] [All Lists]

Re: Attacking Domain Keys

2004-11-29 13:47:15
In <MHEGIFHMACFNNIMMBACAIEIJJBAA(_dot_)sethg(_at_)GoodmanAssociates(_dot_)com> 
"Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com> writes:

I really don't get your argument.  pre-data rejection would be done by
technologies like SPF.  Dk has value on top of that.

SPF has limited ability to reject forgeries as long as it relies on SRS to
do forwarding.  There is no way to detect a forged forward with an SRS
return-path, so that is predictably what forgers will do if SPF is widely
adopted.  If you want to reject forgeries before data, you need something
other than SPF+SRS.

I must be missing something.  Why can't you detect a forged forward
with an SRS return-path?  The forwarder can publish SPF records, just
like everyone else.  Also, a forwarder's SPF record can contain an
exists: mechanism similar to the one in the SES draft in case there
are more forwarders that don't do SRS.


-wayne


<Prev in Thread] Current Thread [Next in Thread>