Seth Goodman wrote on Tuesday, January 02, 2007 3:55 PM -0600:
However, SPF pass combined with rDNS match is actually stronger
assurance of the originating domain than DKIM.
This is very misleading. If an IP has rDNS records, they are available
to corroborate the DKIM domain as well as SPF. Any MTA with a static IP
that controls its rDNS zone can take advantage of this extra assurance
for either method. For dynamic IP's, or where rDNS is not under the
control of the domain owner, both SPF and DKIM are subject to attack by
publishing forward DNS information for a throwaway domain.
Another correction is that a spammer does not have to wait for the SPF
record with a zombie's IP to fully propagate through DNS. They can
register the domain ahead of time and allow the address of the
authoritative server to propagate through. When they hijack a zombie,
they need only add an SPF record to their zone and wait for the updated
zone to be available at their domains authoritative DNS server. This is
closer to a few minutes, making this attack is even more practical.
Sorry for any confusion the previous post may have caused.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735