On 13 dec 2006, at 15.21, Marc Perkel wrote:
True - SPF his hopelessly broken and must die.
Not so. It does exactly what it sets out to do. That it allows you to specify that messages for fraud.com can be sent from any IP-address, doesn't change the fact that it's a very concrete advantage to be able to know that a message from mybank.com actually is from MyBank, and no one else.
Note that SP in SPF stands for "Sender Policy" - The sender (domain owner) sets the policy, and only the sender is affected. Receivers should respect the sender policy - Why shouldn't they? - but if they don't want to, they're free to ignore it.
Repeat after me SPF breaks email forwarding.
You claim that SPF is broken, but think that classic, "dumb", email forwarding isn't? How would you stop forgeries and still allow classic email forwarding? What is the biggest problem: Allowing forgeries, or breaking forwarding? Before you answer, consider that it's up to the domain owner to decide, so you can have it either way. How can this be a problem?
I use SPF primarily because it allows me to prevent and detect forgeries for my own domains. I'm not going to allow forwarding, as long as it creates a loop hole for forgeries. Simple as that. I've had zero complaints from my users.
j o a r
