spf-discuss
[Top] [All Lists]

RE: Sendmail white paper

2004-12-07 08:58:32
On Tue, 2004-11-23 at 12:02 -0500, Scott Kitterman wrote:
CSV operates on behalf of the MTA operator.  SPF operates on behalf of the
domain owner.  My guess is that there is a large overlap between these two
groups.  The overlap is not, however, a unity.

You're not thinking holistically and considering the practical
applications. The reason I consider SPF and CSV to be equivalent in what
they offer is because each requires some kind of reputation service in
order to be truly useful in stopping unwanted mail; each serves to give
you a validated 'name' which you can use to look up the mail server
which is offering you the mail.

SPF only really gives you that much; it isn't an end-to-end method of
verifying that the mail really did come from you in the first place.
That's because of SRS, as explained previously -- a recipient can't tell
whether SRS0=xx=yy=kitterman(_dot_)com=spf2(_at_)srs(_dot_)infradead(_dot_)org 
is really a
genuine forwarded message from you, or a fake. It's all about how much
the reputation service says you should trust "srs.infradead.org". And
that's why I say that CSV and SPF are basically equivalent in what they
offer.

If you 'volunteered' them, they may welcome the mail getting rejected
because of SPF ;).  If they agreed to take that mail from you, then they
ought to whitelist you from SPF checking if their MX checks SPF.  It is an
additional complexity, I agree, but I believe it to be manageable.

They can't necessarily whitelist it. If their ISP is checking SPF, the
customers don't necessarily have a way to whitelist anything. The
forwarding problem is played down so much by the SPF advocates and the
web site that those few people who do check SPF because they aren't
really thinking for themselves certainly aren't likely to implement a
whitelisting facility.

Nothing is inherently wrong with CSV, but it's not deployed yet and it
doesn't relate to my particular problem.

SPF isn't that widely deployed yet _either_, if you speak of people
actually _checking_ it rather than just publishing a record. I explained
above why in _practical_ terms it's as relevant an answer to your
particular problem as SPF is.

Which of these alternatives am I able to deploy now?

DK, IIM, SES. And the new META Signatures which are the result of
William's merge of the best parts of DK and IIM, which looks promising.

A large number of hosts out there stopped accepting forged mail from
dwmw2(_at_)infradead(_dot_)org 9 months ago. Yet they accept real mail which is
from me but forwarded. 

IIM/DK aren't really ready for me as far as I can tell.

Why so? Each is being used in the wild already. 

-- 
dwmw2


<Prev in Thread] Current Thread [Next in Thread>