XMPP differs from SMTP and SIP because there are no intermediate domains - traffic passes from the source domain to the destination domain directly, and in effect the concepts inherent in DKIM and SPF about authorised senders are baked into the basic protocol.
Ah, ok. Most likely the vast majority of email probably has that property too, but not all of it.
Yes, but SMTP-Auth closes that circle. Whether you can reliably know whether a domain in fact uses it consistently is another matter. In an out of band kind of way, you could be very certain, eg subpoenaed server logs, etc. I've been waiting for that shoe to drop.
Yes, from a legal standpoint you can get some assurance, though that has less effect anywhere between very small personal services and quite large ones.
But in some technically provable manner, you really need some cryptography to run end-to-end.
Legal of course doesn't need to be technically provable,
especially for civil matters where a preponderance of evidence is
sufficient -- at least in America.
But for the average SIP spam/phishing case the user part probably doesn't mean much. I really have no clue who gladys@xxxxxxx is, but I sure do want to know if irs.gov claims she's one of theirs. I definitely have no clue what 19165551212@xxxxxxx is. If it's legit from irs.gov, I'd be very inclined to pick up the phone (although they say they never make unsolicited phone calls). Likewise, since I know that gphone.com requires authentication and signs its signalling, I can legitimately infer that it's at least coming from gphone and if I get spammed, I can complain. I doubt that spam actually originating from gmail is a very serious problem these days.
Mike
