[mail-vet-discuss] Authentication vs. Authorization
Scott Kitterman
mail-vet-discuss at kitterman.com
Fri Oct 24 22:28:38 PDT 2008
On Fri, 24 Oct 2008 18:44:01 -0700 Douglas Otis <dotis at mail-abuse.org>
wrote:
>Describing these SPF/Sender-ID results as "authentication" will mean
>domains publishing SPF records are now in jeopardy of dangerously
>misleading recipients whenever a shared outbound server is employed
>somewhere. The risk will become painfully apparent whenever a bad
>actor's only "authentication" credential is having sent email through
>one of the authorized SMTP clients. There are _many_ cases where
>independent domains share a common outbound server. While path
>registration may help reduce a range of spoofed DSNs, it is NEVER safe
>to refer to this mechanism as an AUTHENTICATION method. This is not
>the first time that this concern has been raised.
Note that DKIM doesn't tell you any more or less. The same mechanisms that
the outbound shared MTA admin can use to prevent this type of problem for
DKIM can be used to prevent it for SPF.
Scott K
More information about the mail-vet-discuss
mailing list