Alessandro Vesely wrote:
| A "Fail" result is an explicit statement that the client is not
| authorized to use the domain in the given identity. The checking
| software MUST reject the mail outright.
No, the checking software might be not in the position where it
still can reject the mail. It's at best a SHOULD in a not yet
existing "receiver policy" RFC. For SPF it's actually a feature
that spammers cannot simply probe who rejects FAIL, there might
be also receivers moving FAIL silently into a trash folder.
As long as spammers must fear that SPF FAIL never makes it they
can't abuse FAIL protected addresses anywhere. With your proposal
they could abuse SPF FAIL protected addresses at all receivers not rejecting
There are no false positives, since the domain owner is the
direct origin of such "explicit statement".
Right, but the domain owner isn't always the same as the domain
user, and the receiver mailbox can be a user forwarding his mail
to an address at a third party checking SPF. Arguably that is a
kind of "false positive", and in that case I really hope that a
FAIL is rejected, and doesn't vanish silently in a trash folder.
Sender Policy Framework: http://www.openspf.org
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
Powered by Listbox: http://www.listbox.com