"Mark Berry" asked
I'm a noob to the spf list, so forgive me if this has been brought up
before.
What about a PKI signature of each message?
I believe this is what DomainKeys is attempting.
The challenge for such systems is that the message is often altered during
transmission (trace headers added, lists adding subscription info to the body,
advertisments added, etc.) , and attempts to isolate those parts which are not
altered (i.e. to be signed as 'the' message) end up leaving out vital headers or
failing to protect the entire message, which can then be forged, tampered with
or modified.
SES have also investigated the related challenge, of trying to form a
cryptographic digest so that you know two copies of what is purported to be the
same message are actually the 'same'; my list of problems (above) is derived
from watching SES, not from any in-depth knowledge of what DomainKeys is
actually doing.
My personal conclusion is that any system relying on the message content
remaining invariant cannot work in today's SMTP environment.
Chris Haynes