Authentication and Repudiation

A

Email Authentication lets you demonstrate that you sent a particular email.
Email Repudiation is a claim that you didn’t send a particular email.
 
SPF is only for email authentication1
DKIM is only for email authentication
DMARC is only for email repudiation
 
1 SPF was originally intended to provide repudiation, but it didn’t work reliably enough to be useful. Nobody uses it for that now.

About the author

2 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • It’s not quite true that nobody uses SPF for repudiation. A plain “-all” SPF is somewhat useful for a domain to say that it sends no mail at all. But other than that, you’re right, and as we all know, DMARC’s repudiation model has some severe problems too.

  • Senders can certainly use “-all” to state they send no mail – and that can be useful information to publish – but receivers pay no attention to it, because they don’t special case just a “-all” record, they just see it as an SPF failure and they don’t reject mail that fails SPF.
    Edit: Special-casing “no mail” is supported in some SPF checking code, and it’s probably a good thing to enable, but when I tested a few big ISPs a year or so back, none of them seemed to do that.

By steve

Recent Posts

Archives

Follow Us