In article <[EMAIL PROTECTED]>, Andreas Metzler <[EMAIL PROTECTED]> wrote: >Miquel van Smoorenburg <[EMAIL PROTECTED]> wrote: >> You know, there is a difference between Envelope-From (SMTP MAIL FROM:) >> and whatever you put in the From: header. They don't have to be the same. >[...] > >I do know that, but e.g. (closed) mailing-lists check the envelope >from.
Which is arguably broken. The list should allow you to set up multiple address that you can post from (any many do). >And it does not help in the first szenario at all (unless you >think it to be ok that user a receives the bounces for user b). If you read RFC822 and see the distinction between Sender: and From: that isn't really as strange as it would seem. Sure, it isn't as flexible as the current "solution" (impersonate whoever you want) but that is going to be true of *any* better solution, alas. And I don't think you can get all users to sign their e-mail with PGP or use SMTP AUTH exclusively overnight. You need something that will work in most cases, without end-user changes, on the current Internet. This is something that if it breaks, it will most likely be for the users who know how to fix it. I don't like SPF much either. I've just come to the conclusion that it's probably better than nothing. Mike. -- Never trust a statistic you didn't fake yourself.
