On Friday, July 06, 2012 09:34:56 PM Michael Adkins wrote: > I'm trying to understand the practical value of continuing to honor legacy > policy mechanisms. If you don't have a spoofing problem, what does your > SPF record actually do, aside from acting as a deterrent?
First, I think reference to a protocol that the IETF is actively working on in a current WG as "Legacy" is not right. That's exactly what I gain from it. I used to have a spoofing problem. I don't anymore. SPF is a complete authorization/policy protocol that's been widely deployed for a long time. I think DMARC is welcome to the authorization component to do 'stuff', but it by no means obsoletes the policy component of SPF and should not pretend to. ADSP may be different. The use case for ADSP may be narrow enough that it doesn't matter, but SPF certainly does. A related point is that DMARC isn't actually using SPF. It's taking an SPF record (which is meant to apply to Mail From) and applying it to From. Whatever result you get from that is not an SPF result and should not pretend it is. It's a substantially more failure prone approach for reusing SPF records than Sender ID was, although because of the way DMARC integrates SPF records and DKIM and think it's a very reasonable and useful approach as long as DMARC doesn't overreach. Scott K _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
