-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alex van den Bogaerdt wrote:
It doesn't matter who send the message. If it goes through an
authorized host, domainowner.example.ORG has to deal with abuse.
Exactly, and that's why...
| authorizing smtp.example.COM to send mail using domainowner.example.ORG
| as the sender address
...is perfectly equivalent to...
| asserting authenticity of the use of domainowner.example.ORG as the
| sender address in all mail coming from smtp.example.COM.
Or, if you disagree, then what's the difference between the two?
Ergo it is, in _any_ case, not very useful to assert "Pass" for MTAs
who do not prevent cross-customer forgery, even if "Pass" just means
"you can send me the bounces".
I happen to know a host that I fully trust but which does not
prevent cross customer forgery. If I want to say "+thathost"
then it's _my_ domain's reputation on stake.
Well, you can. Even if "Pass" implies authenticity. It may not be useful
if the host is not guaranteed to prevent cross-customer forgery, but it's
your choice. I never said anything to the contrary. :-)
"Pass" really cannot mean anything other than a full "authentic" AKA
"you can hold my domain responsible". q.e.d.
I deal with complaints, having send the message or not.
I thought SPF was supposed to prevent that. Maybe SPF has become entirely
pointless now. I sure hope not.
Authentic != {accountable|responsible}.
If "authentic" does not mean "I know for sure who is responsible", then
what does it mean?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCn7xKwL7PKlBZWjsRAjYOAKCZFEvNiwDjfL/KC82MeKnY3VwFAgCgxThe
idjrgF4dL5Cf+wY7mcY3lWk=
=AwyE
-----END PGP SIGNATURE-----