--On 14 December 2006 10:50:34 -0500 "Coffey, Neal" <[EMAIL PROTECTED]>
wrote:
3) Let's say you bank with Bank of MyBank BankCorp. MyBank.com
specifies an SPF record. You receive a message claiming to be from
mybank.com, and it passes SPF. You can be reasonably certain it is
legitimate.
Corollary: Do use SPF in combination with a whitelist to make
the whitelist more powerful.
It can also be useful with well managed TLDs - those that have strict
requirements for registration. For example, its tough to get a .edu or
.ac.uk domain, and I'd be quite happy whitelisting (or at least giving a
negative spamassassin score) to any SPF pass for domains in the .edu or
.ac.uk TLDs.
Similarly controlled domains exist for .ltd.uk and .plc.uk and .coop -
unfortunately I've never seen them used by financial institutions. There's
a clear benefit to doing so, as it's harder to phish if the banks'
customers are expecting email from controlled TLDs.
It's unfortunate that there isn't a TLD for registered financial
institutions, but actually that would be quite hard to define given that
there are widely differing standards between nations.
--
Ian Eiloart
IT Services, University of Sussex
