In a recent discussion, a friend said I should not use the term
"authentication" in connection with SPF, because "SPF doesn't do
authentication". It only checks that a domain *authorizes* a particular
server to send mail on its behalf. If a server allows any domain to use it
as a forwarder, there is no way for the downstream receiver to authenticate
the claimed domain name.
CSV separates authentication and authorization into two distinct
steps. While the distinction is quite valid, it seems to me that it is
still OK to refer to SPF as an email authentication method, at least in
contexts where separation of the two is not important. For example, if I'm
making a list of "email authentication methods", I would not think to
exclude SPF. On the other hand, I would not say "SPF authenticates the
domain claimed in the Mail From command".
Any thoughts on this issue?
--
Dave
************************************************************ *
* David MacQuigg, PhD email: dmquigg-spf at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *