spf-discuss
[Top] [All Lists]

Re: [spf-discuss] The problems with SPF

2005-08-26 15:10:10
Julian Mehnle writes:
I predict that forwarding without sender rewriting will die and SPF (or
an equivalent technology) will succeed, because, overall, authenticity of 
sender addresses simply is much more important to users than forwarding 
without sender rewriting, which can (from users' perspective) be easily 
substituted by forwarding _with_ sender rewriting.

Speaking as a commercial forwarder who has *already* substituted
forwarding with envelope sender rewriting, I think what's important to
users is not who the envelope sender is but whom the mail is really
from.

Users care so little about who sent their mail that most MUAs don't
even bother to display the envelope sender.  They do display a "From:"
header address, and it's the authenticity of that address that
matters, not how the mail got to the user.

If SPF really takes root, forwarding without sender rewriting will
indeed die.  However, as SPF alone assures only the authenticity of an
envelope address few users care about, I predict that SPF's future is
dependent on other things also taking root.

In a fully SPF'd world, a forwarder won't accept mail unless is passes
SPF muster, and by rewriting the sender the forwarder makes the next
hop pass SPF.  This is SPF authenticating the path without directly
addressing the authenticity of the mail itself.  Illicit mail isn't
prevented, but it is made traceable.

Sender-ID attempts to authenticate the party responsible for the
mail.  This is considerably harder - harder even to define what it
means.  However, it's a lot easier if the path is known to be good,
which is why I view SPF and SID as complementary, not competing.

DKIM shows promise as an addition that can assure that an entire
message arrives intact, but it does not assure that the message was
authentic in the first place.  SPF, SID, and DKIM working together
could make a tremendous difference.

--
Dick St.Peters, stpeters(_at_)NetHeaven(_dot_)com 

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com