> > Unfortunately the whole point of SPF (unlike Sender-ID which works > much better and on much the same principles) is that you can reject > the message before receiving it so you wouldn't have the DKIM stuff > (which I think requires you to have the entire message?
How about I try this again aimed at the mailing list, Sender-ID really doesn't work any better than SPF for the same reasons SPF tends to be broken lots of mail masters abuse it and set the values wrong. Like my big pet peeve is people who finally know they have sender-id/SPF working so they are past the transition stage and don't swap to -all. By spec I cant reject messages from mail exchangers claiming to be from their domain since the spec says with ~all this is only an approximation of what may be sending from their domain. But the idea is to reject or round file illegitimate mail before it gets to the user. With DKIM you really just need the DKIM part of the header to tell if you can bin the message, but at that point you just may as well have the message but you could in theory round file it if it fails before it got to the more system intensive scanners like virus or spam scans. At least thats my preferred way to handle SPF+DKIM. -- Jason Barbier | [email protected] Pro Patria Vigilans
