SPF as it is correctly acronymised does not solve all issues.

Firstly it is a network protocol, it does not authenticate that I sent an e-mail, only that someone on my domain did.

Secondly, neither it nor in fact signing cope well with portable e-mail addresses. If I use a forwarder as a From for convenience so that I never have to change my e-mail address, SPF prevents me from doing so.

Reply-To can be used for this purpose, but not all e-mail packages yet manage this; indeed I've had e-mail that started with a Reply-To which got translated to From by some random e-mail server! That it is incorrect is irrelevant; the fact remains that the existing implementations are not necessarily perfect.

I would agree with Kelly Martin's idea, that the entire system needs an overhaul, because we have catastrophically failed to abstract users and machines (yet again).

Microsoft of all people are proposing a digital identity, separate and unique for any individual. This is the correct solution (though I shall be interested to see just what MS does with it) because it abstracts away what ISP, PC, IP etc are in use.

Consider the annoyances that come from having to change telephone number or e-mail address when a person moves. Since IT is supposed to make life easier, why not finally move to an ID that moves with you, and let the underlying system work out where you are.

Granted there are plenty of issues, privacy for one, but they are not insurmountable. It's about time the Internet wasn't a techie's playground and instead created solutions that work, work well, and are secure and scalable, from the ground up.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/404/33658#33658