Conversation:

Notices

1. kat (boneidol)'s status on Friday, 30-Jan-2015 18:09:53 EST kat

   Remote profile options...

   • Joshua Judson Rosen
   • Temporary Marjolein
   @mk @rozzin you miss the point. A spam domain can have a strong SPF record. But if bank.com published a strong SPF record, it would be easy to identify email from bank.com
   • Joshua Judson Rosen repeated this.
   • Temporary Marjolein (mk)'s status on Saturday, 31-Jan-2015 13:21:37 EST Temporary Marjolein

     Remote profile options...

     • kat
     @boneidol no, sorry, but you miss my point. SPF only validates the *sender* address (that's what's on the *envelope*) by looking if the sending mail server is authorized to send mail for the domain the sender address belongs to. This check is done before the mail content is processed. A spammer could easily set up a domain and a sending server authorized to send mail from…
   • Joshua Judson Rosen (rozzin)'s status on Monday, 02-Feb-2015 22:58:16 EST Joshua Judson Rosen

     • kat
     @boneidol, I'd rather bank on #DKIM. Or #PGP. Or S/MIME.
   • Joshua Judson Rosen (rozzin)'s status on Monday, 02-Feb-2015 23:04:12 EST Joshua Judson Rosen

     • kat
     • Cryptography
     @boneidol, we need to get past the idea that !crypto's too complicated & too slow for everyday use. It works better than the alternatives.
     kat likes this.
   • Temporary Marjolein (mk)'s status on Tuesday, 03-Feb-2015 02:34:11 EST Temporary Marjolein

     Remote profile options...

     • Joshua Judson Rosen
     • kat
     @boneidol @rozzin it seems you miss my point, too - see http://oracle.skilledtests.com/notice/886285
   • kat (boneidol)'s status on Tuesday, 03-Feb-2015 02:53:28 EST kat

     Remote profile options...

     • Joshua Judson Rosen
     I should set DKIM up on some domains.
   • Joshua Judson Rosen (rozzin)'s status on Tuesday, 03-Feb-2015 17:17:59 EST Joshua Judson Rosen

     • Temporary Marjolein
     @mk, I'm pretty sure you and I are in agreement about SPF vs. DKIM/PGP/SMIME: all of that latter group operate on the message, not the envelope, and verify the origin in a user-compatible way regardless of the delivery path.
     Temporary Marjolein likes this.
   • Joshua Judson Rosen (rozzin)'s status on Tuesday, 03-Feb-2015 17:47:36 EST Joshua Judson Rosen

     • Temporary Marjolein
     @mk, you're actually being too nice to #SPF: it doesn't even verify the envelope sender beyond the last hop in the delivery path. It (sort of, sometimes...) `facilitates' traceability... but depends on `everyone else' doing work: the people who want to benefit from SPF need SRS all allong both their inbound and outbound delivery paths, and the people who'd need to implement SRS aren't the ones who benefit from SPF.
     Temporary Marjolein likes this.
   • Temporary Marjolein (mk)'s status on Tuesday, 03-Feb-2015 19:37:18 EST Temporary Marjolein

     Remote profile options...

     • Joshua Judson Rosen
     @rozzin that sounds like the evolution of spam origin analysis: first, all Received: headers were checked; but then it was seen that those could actually be spoofed, too - *except* for the origin machine of the last hop. Looks like SPF picked up on that 'wisdom' and doesn't bother itself with what could be fake anyway. But thanks, I hadn't realized that about SPF (though …
     Joshua Judson Rosen repeated this.
   • Joshua Judson Rosen (rozzin)'s status on Tuesday, 03-Feb-2015 21:36:00 EST Joshua Judson Rosen

     • Temporary Marjolein
     @mk, I think the idea is, if #SPF ever achieved #saturation (100% deployment), the list of "Received" headers would become trustworthy
   • MJ Ray (mjray)'s status on Thursday, 05-Feb-2015 05:30:53 EST MJ Ray

     Remote profile options...

     • kat
     @boneidol and if you outsource email, it's possible other clients of the same provider can pass your SPF too