Alex van den Bogaerdt wrote:
Even if every dyn-dns user can forge other dyn-dns users's domains:
With SPF you authorize a server. You don't claim authenticity of
the messages sent by such server (or any other claim on the messages).
I would agree, and had my friend setup his record as George did;
basically exactly what the dyndns webpage suggests:
http://www.dyndns.com/support/kb/archives/spf_and_dyndns_systemsservices.html
I just didn't want George to have unrealistic expectations about what
publishing that record would get him.
Some people involved in SPF think it is a good idea to publish
something like: "v=spf1 ?include:outbound.mailhop.org -all"
in this case. Others, and I am one of them, disagree.
That seems silly, though I suppose some way to distinguish between
someone who runs their own, non-shared server where forgery that got a
'PASS' would require hijacking the box and the mailhop.org case might be
useful. Though I think at that point, you might as well jump into DKIM
and reputations.
Is dyn-dns authorized to send your mail? Then it deserves a PASS.
If forgery does happen, you expect dyn-dns to react and (virtually)
kill the forger.
Agreed. I've got a mail out to my friend to see if it's possible for
him to use another domain in his mail-from: after authenticating to
dyn-dns. Of course, I'm not sure how he can test it without getting in
trouble :-)
Robert
--
Robert Thille 7575 Meadowlark Dr.; Sebastopol, CA 95472
Home: 707.824.9753 Office/VOIP: 707.780.1560 Cell: 707.217.7544
rthille(_at_)mirapoint(_dot_)com YIM:rthille
http://www.rangat.org/rthille
Cyclist, Mountain Biker, Freediver, Kayaker, Rock Climber, Hiker, Geek
May your spirit dive deep the blue, where the fish are many and large!
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735