Alexandre François Garreau <[email protected]> wrote:
> Le samedi 9 novembre 2019 23:32:59 CET, vous avez écrit :
>> Alexandre François Garreau <[email protected]> wrote:
>> > Le samedi 9 novembre 2019, 21:44:46 CET Dmitry Alexandrov a écrit :
>> >> In the light of yet another letter from your impostor, do you have any 
>> >> more unresolved questions, that impede you from starting to sign mail?  
>> >> Feel free to ask them.
>> > Note signing can be avoided with effective spf policy.
>> 
>> No, it can not.  SPF has nothing to do with message headers.  Itʼs an 
>> antispam measure, that can help to detect fakes when one tries to fake a 
>> domain name of his _SMTP-server_ (e. g. claim that his 89.184.73.65 is not 
>> nvs406.mirohost.net but fencepost.gnu.org), but our impostor have not 
>> bothered to do it.
>
> It is both meant to authentify IP adresses and domains.  So 
> nvs406.mirohost.net instead of fencepost.gnu.org stays invalid as of strict 
> SPF policy (if DMARC asks to enforce it).

Ah, so itʼs not SPF-only but DMARC/SPF.  Then yes, of course.  But...

>> GPG can be avoided by choosing DKIM instead (+ optionally a DMARC policy), 
>> but this _is_ a cryptographic signature.
>
> That’s why I didn’t talk about it.

...unfortunately, strict DMARC that relies only on SPF without DKIM is nearly 
unusable for anyone who wants to use mailing lists: remailed message is no 
longer originated from, say, fencepost.gnu.org but from a listserver, and 
signature that could be used to prove the authenticity in the other way, is 
absent.

Attachment: signature.asc
Description: PGP signature

Reply via email to