In <449E955B(_dot_)7000108(_at_)3056(_dot_)net> Rear Gunner
<news(_at_)3056(_dot_)net> writes:
I just wonder, is SPF supposed to work in conjunction with DomainKeys or
is it a competing anti-spam tool? Why is SPF better than DomainKeys?
I haven't actually counted posts and people, but my impression is that
from almost the beginning the vast majority of people in the SPF
community saw Domainkeys as a *complementary* system, rather than a
competing one.
SPF has problems with forwarders, but mailing lists pass with flying
colors.
Domainkeys doesn't have problems with forwarders, but mailing lists
that add the "unsubscribe" trailers, add tags to the subject, strip
attachments, etc., cause Domainkeys to break. Actually, similar
problems can happen with some forwarders who add ads, do spam
filtering, and such. Even border MTAs are known to munge email.
The point, however, is that these two systems can often be used
together to cancel out each other's weaknesses. If a given IP address
or HELO domain consistently sends email that fails SPF checks but
passes Domainkeys checks, then there is a good chance that that source
is a forwarder. Likewise, if a source consistently passes SPF
checks, but fails Domainkey checks, it is likely to be a mailing list.
Oh, and for what it is worth, the IETF is working on an improved
version of Domainkeys called DKIM. There have been several problems
found with the original Domainkyes, including some security
loopholes. Everything I said above about Domainkeys pretty much
applies to DKIM as well. (DKIM has an option that will let it survive
some mailing lists that add trailers, but that has its own set of
security risks.)
-wayne
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com