Re: [Exim] Re: Fixing SPF Forward Problem by Reply-to: Hack?

On Sun, Mar 21, 2004 at 01:25:58PM -0500, Greg A. Woods wrote:
> SPF is based _entirely_ on totally false assumptions.
>
> The SMTP envelope sender address does not, and can not, authenticate the
> sender (and most mail servers in production today don't even have any
> way to enforce any policy on the sender addresses they accept and pass
> on to other servers).

So point to the part of the SPF documentation, or the SPF website, where
they claim that it does authenticate the sender? I tried hard but I
couldn't find it.

> The "sender address" _MUST_ be used _only_ as a
> destination of non-delivery status reports, as specified in RFC 2821.
> Any use for authentication is extremely misguided and very dangerous.

This would be why the SPF site a) says that the main purpose of SPF is
to reduce the amount of spurious NDRs and b) advises you to use SPF to
verify the header sender, as well as the the envelope sender, if you
really want to use it as an anti-spam tool.

> If you want authenticated e-mail then we already have PGP and S/MIME.
> Pick one and USE IT!

SPF has nothing to do with authenticated e-mail. So far, the only false
assumptions I see are in your message.

SPF is not complete, as it currently stands, which I agree makes it not
worth implementing yet. SRS is extremely ugly and there have to be
better answers to the forwarding problem, though whoever was alleging
that it ignores the 64 character limit on the local part of an address
simply hasn't read the documentation.

--
Bruce

I object to intellect without discipline. I object to power without
constructive purpose. -- Spock