Jim Fenton wrote:
we're in the "treat the message (hint-hint, nudge-nudge) with
prejudice" realm, which is more dangerous than being more
specific, as Scott Kitterman has noted about SPF.
Some folks including me disagree very strongly with this opinion:
* SPF is very strict about not dictating any "receiver policy",
and in one case (PermError) this strict approach even caused
a now confirmed erratum re-inserting the lost extended error
code for receivers wishing to reject PermError.
* For obvious reasons checking SPF works best at the border MTA
in an SMTP session before DATA. Getting a FAIL at this point
receivers obviously better reject the mail, otherwise they'd
later be forced to drop it (bouncing FAIL is no sound option).
* Some folks discussed here under the tag "high value phishing
targets" proposed a "DWIM FAIL" introducing "receiver policy"
REJECT for this "harderfail" or whatever it is. The proposal
wasn't accepted, as it would water down millions of policies
with an ordinary FAIL, also of course hoping for a REJECT in
(rare) cases of "clueless receiver checked behind his border".
* This reasoning is simple, obvious, and valid for SPF, it's not
necessarily also good for PRA or SSP. If you want "DWIM FAIL"
in SSP go for it, but don't say that it's lacking in SPF.
Frank
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html