So, to use a real-world example, what you're saying is that if you want to
spoof Twitter, to avoid your email being caught by the -all in Twitter's SPF
record, you could use foo.twitter.com as the sending domain and your email
wouldn't be blocked because of an SPF fail.
I think that's correct.
You could also use aimport dot no (as some spammer sending a fake Twitter email
did an hour ago). That domain doesn't have an SPF record either.
As we're talking about the MAIL FROM in the SMTP envelope, which usually isn't
shown to the user, I don't think this is a big problem.
Perhaps your MTA or spam-filter does use the MAIL FROM in its decision whether
to deliver the email or not. If it decides to deliver the message because it
claims to come from Twitter, uses a subdomain of twitter.com and didn't fail
SPF than that's very wrong. But I don't think it's SPF's fault.
Martijn.
________________________________
Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg