Alexandre François Garreau <[email protected]> wrote: > Le samedi 9 novembre 2019 23:32:59 CET, vous avez écrit : >> Alexandre François Garreau <[email protected]> wrote: >> > Le samedi 9 novembre 2019, 21:44:46 CET Dmitry Alexandrov a écrit : >> >> In the light of yet another letter from your impostor, do you have any >> >> more unresolved questions, that impede you from starting to sign mail? >> >> Feel free to ask them. >> > Note signing can be avoided with effective spf policy. >> >> No, it can not. SPF has nothing to do with message headers. Itʼs an >> antispam measure, that can help to detect fakes when one tries to fake a >> domain name of his _SMTP-server_ (e. g. claim that his 89.184.73.65 is not >> nvs406.mirohost.net but fencepost.gnu.org), but our impostor have not >> bothered to do it. > > It is both meant to authentify IP adresses and domains. So > nvs406.mirohost.net instead of fencepost.gnu.org stays invalid as of strict > SPF policy (if DMARC asks to enforce it).
Ah, so itʼs not SPF-only but DMARC/SPF. Then yes, of course. But... >> GPG can be avoided by choosing DKIM instead (+ optionally a DMARC policy), >> but this _is_ a cryptographic signature. > > That’s why I didn’t talk about it. ...unfortunately, strict DMARC that relies only on SPF without DKIM is nearly unusable for anyone who wants to use mailing lists: remailed message is no longer originated from, say, fencepost.gnu.org but from a listserver, and signature that could be used to prove the authenticity in the other way, is absent.
signature.asc
Description: PGP signature
