Bill,
From the very get-go, the SPF community has always been very careful not
to confuse anti-spam with anti-forgery. And for good reasons. Of course, a
lot of spammers spoof, and legit folks don't, so it stands to reason that
in deploying SPF you will at least stop the influx of spammers who spoof.
One of the reasons SPF should, IMHO, not be equated with 'anti-spam' is
that the 'negative' side is only one part of the equation. Namely, once
you have deployed SPF, and with "pass" determined that a relay is
authorized to use a domain name, you could do 'positive' things with it,
too, like whitelist a particular connection based on the score of a
reputation service. Recently, for instance, I have implemented Meng's new
Karmasphere service, and I am fairly excited about it. :)
I say the use of a reputation service, like that of Meng's, in combination
with SPF, is potentially very valuable. For one, it allows for greater
granularity while examining a client connection. Heretofore, you inspect a
connecting IP address, and that was pretty much it. But now you could have
mail come in from a 'gray' IP address (say a dynamic, residential
address), that you would normally reject, and with the aid of SPF in combo
with a reputation service, selectively say domain 'mybuddies.com' or
'majorisp.com', when authorized and in good standing, are still okay to
connect from that IP(range).
The possibilities of adding "pass-ed" domains to the mix are legio.
Therefore SPF != anti-spam. Also, as you hopefully see from my examples,
very much depends on the MTA, and how their operators will use it.
- Mark
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=78833942-8b72e9
Powered by Listbox: http://www.listbox.com