> -----Original Message-----
> From: Steffen Heil [mailto:lists@steffen-heil.de]
> (And if not, what exactly are you authenticating?)
>
> No, you could use the hostname of the MX for the ssl cert. So
> the MX for
> company.tld would be mx.mailprovider.tld. A provider would need ONE
> certificate for all domains hosted on his site.
That doesn't really accomplish anything, then. Let's say I'm a Comcast
customer. (Not to pick on them; they're just a handy example.) I can still
send all manner of spam through Comcast's MX servers, with any forged email
address I want, and it'll be considered authorized because Comcast's MX has
an SSL cert. It's even less effective than SPF; at least with SPF I can't
forge a domain that has an SPF record that excludes Comcast's servers.