[amluto]

You said:

> The modern Internet was designed with the assumption that the DNS is insecure.

SPF and such may well be designed under the assumption that DNS is insecure but, under that assumption, they too are insecure.

[tptacek]

I don't understand your argument. Again, we have SPF and DKIM now, and neither rely on DNSSEC, which is good, because virtually nobody uses DNSSEC. You absolutely do need SPF and DKIM configured to be a mail sender; the Internet does rely on those. But you do not need DNSSEC to do that, and nobody cares if you do or don't.

[amluto]

And the security is weaker than it should be because the SPF, etc records are unauthenticated.

[tptacek]

That's not how security works. In the real world, security is in part a resource allocation problem. We spend resources to raise the cost of an attack over the threshold a model attacker would pay. There is a reason nobody gives enough of a shit to sign SPF records, and you can start to see it by taking the time to track down all the incident reports where someone exploited cache poisoning to override SPF.