Justin Mason wrote:
SPF is *NOT*
for catching spam. It works great at what we use it for in SpamAssassin
-- as an authentication mechanism,
Just to pick nits:
SPF is not an authentication mechanism, it's an authorization mechanism.
It is VERY important to not confuse the two. (and, while I am
generally down on SPF, this message should not be taken as a criticism
of SPF; it is merely correctly identifying which space of problem it
addresses)
SPF merely tells you that the host is authorized to send email from that
mail domain. There is nothing about the process which authenticates the
message, host, nor email address.
If I know what I'm doing, I can use various TCP or IP layer techniques
to spoof being the host, or possibly spoof being in the host's relay domain.
If I am on the same host, or can spoof being on that host, or spoof
being in the host's relay domain, I can forge being from the correct
email domain (in a way that SPF can't detect).
If I can forge being from the correct email domain, I can forge being a
legitimate sender from within that domain.
An authentication scheme should detect one or more of these things. SPF
addresses none of them. SPF assumes that the host information is
authentic, and then attempts to determine whether or not that host is
authorized to use that email domain for sending email. It is an
authorization scheme only.
(and, again, that's not a criticism; we need authorization schemes, I'm
just saying: it's not an authentication scheme)
