Hi Guys,
I've been following this list for some time now and have also been
investigating the other sender authentication schemes - mainly Sender-ID (Which
I do understand has major problems) and DKIM (Which is a possibility although
has its own problems).
From my point of view, and I may be wrong, does SPF have these problems and if
so what are the solutions:
- Doesn't guarantee that the message is from the actual sender when a shared
MTA is used (Which is the case most of the time for most Small/Medium sized
business I would of thought?)
- Doesn't always guarantee the address is correct... Can Phising attacks can
gain a pass by publishing SPF for their domain, but use different headers which
will then be displayed in a standard e-mail client such as outlook.
- Only useful for FALSE results - i.e.: the sender is forged? So if a pshiser
publishes valid SPF for his domains he can gain a pass... I suppose this is a
benefit in that it is easier to blacklist said spammer.
- Forwarding caused problems unless SRS or some other re-writing is employed?
I do understand that SPF is not an anti-spam solution, but a step in helping
decide what is spam or forged e-mail, but do have concerns about how sucessful
it can be in that area.
Dan
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com