On Mon, Dec 06, 2004 at 09:29:07PM +0100, jpinkerton wrote:
Sounds to me like the only thing they're using SPF for is to say that if
in place to provide forgery prevention they'll forego confirmation. Not
unreasonable decision, especially once we get to the point where MTAs will
SMTP AUTH to prevent in-server spoofing...
True - but it's a short step from using spf records as "we" intend them to
be used, albeit in some other environment, to them using the records to do
their own checks in some way that we had not forseen.
I think this is a bad example to prove your point.
An SPF-PASS can be used to skip some other checks, I truly believe this
has been discussed before on this list.