Yes, it does; pobox.com should just simply not have accepted your bogus
amazon.com MAIL FROM address. Amazon publishes with "-all", and you're
not listed as an authorized relay for them.
As for the (sour) irony of pobox.com, the inventers of SPF, allowing you
this gross bogocity, well, suffice to say it raises a few eyebrows over
here. :) But it has nothing to do with the functionality of SPF itself,
and even less with SRS. In fact, with SPF switched "on", you would have
been halted at the very first MAIL FROM.
This super-awsomely-fantastic. you guys are really hitting on all
cylinders, bringing up all the important problems. I've been meaning to
raise some hell over this issue too ;)
I would like to suggest that pobox.com and any other forwarder or
secondary MX should not accept for delivery to a relayed recipient based
on pobox.com's local policy.
This "fail == reject" is a matter of local policy. In this case,
pobox.com should have consulted with the final recipient to see if it is
willing to accept a message with failing SPF check.
I thought SPF's mission is just to tell if the message is authentic or
not, but not suggest any disposition, be it to accept or to reject.
In any case, a definitive answer cannot be given until after RCPT TO:,
unless the site does no forwarding at all, in which case, an answer can
be given at MAIL FROM:
We don't currently have a mechanism for this as far as I know.
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com