First, I agree with what John has said.
Some add'l feedback:
No record -> REJECT is not appropriate, even where, as you
explained, there's some code (not presented) that somehow discovers
which domains say they support which authentication schemes. The code
should not assume that this has happened; it should function even if
previous code has been unable to discover which domain authentication
schemes the sender supports. For example, if the sender posts to a
mailing list, will the subscribers' servers always be able to discover
all the domain authentication schemes that could be useful? Perhaps the
mailing list server supports different schemes from the poster's server....
I think we should not adopt the same result code nomenclature as SPF,
but rather something else, as SPF is a mishmash of path-based and
point-to-point stuff means that the quality of the labels is very
different from (and better than) those of SPF. How 'bout CSVpass,
CSVfail, CSVneutral, and tempfail? It would be good to put such
nomenclature in the specs, IMO. The server configuration file would
then map these to SMTP return codes.
Som add'l comments:
This is pyCSA, not pyCSV (at least not yet). CSV=CSA+DNA.
CSA Record -> ACCEPT (or CSVpass) is not quite right. DNA still needs to
python is indeed easy to read.