Julian Mehnle wrote:
This leads to an interesting question:
There are two variants: (a) SPF and DKIM both are _required_ for a message
to pass, or (b) SPF and DKIM each are _sufficient_ for a message to pass.
Would it be useful to allow the _domain_owner_ to specify which variant
they prefer?
I've thought about it some more. I don't think (a) is an interesting
combination. What would (a) mean...
The MTA you got the message from is on the list of authorized MTAs for
the domain and that (or one preceding as long as the message isn't
modified) had a private key that says the message is authorized from the
domain. I think it's largely redundant.
With a Pass for either you've got an identity you can hang reputation on
if you are trying to bootstrap from forgery prevention to spam
filtering. You might even get two.
I think (b), defined properly is much more interesting and what is more
likely to be worth pursuing. DKIM and SPF both have a hard spot to get
around. DKIM fails on mailing lists that modify messages (almost all of
them) and SPF fails on forwarders that don't do SRS (or some other
solution even less likely to be seen in the wild today) - again almost
all of them.
Finding a way to combine the results to cover the weaknesses of each if,
I think, an interesting and worthy problem to solve. No one else is
working on it publicly that I'm aware of.
Scott K
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com