SPF question
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Wed Oct 31 17:35:26 UTC 2007
On Wed, Oct 31, 2007 at 04:41:00PM +0000, Christopher Browne wrote:
> SPF *may* also make sense for large entities that:
> a) Send out a lot of mail, and
> b) Are targets for fraudulent mail
>
> EBay and PayPal would fit into that category, as would banks.
>
> It seems not too outrageous for them to try to tell the world things like:
>
> "If you get mail claiming to be from our domain that doesn't contain
> our digital signature, then we're willing to suggest that it is
> fraudulent and may be safely thrown away."
Well since not everyone insists on checking SPF, there are plenty of
ways for those scams to get through anyhow. A much better way to deal
with those phishing emails is to make people less stupid. Not sure how
much luck we will have on that. Perhaps I am overly optimistic in the
average ability of the population as a whole.
> "If you get mail claiming to be from our domain that was not sent from
> one of our IP addresses, then it did not pass through proper channels
> and may be safely thrown away."
>
> But that certainly imposes some burdens on the flexibility of one's
> mail management. For the "digital signature" case, for instance, it
> implies that people in the organization MUST pass their messages
> through a mail server that knows how to generate the digital
> signatures. If those servers are pretty locked down, which is
> appropriate, then this implies some possible inconvenience in getting
> outgoing mail signed.
>
> This doesn't seem like something that everyone would want to apply to
> their mail.
Well it is a trade off between convinience and control.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list