For my particular domain verisign.com I want all email that does not
originate from the verisign email servers to be eliminated.
* No Web mails
* No postcards
* No cartoons from Cagle
* No unauthorized laptops sending email directly.
That is because we are in the payments and security business. I don't
want Phishing scams pretending to come from the VeriSign domain.
I don't think these are actually legit for any email address, the
message does not come from me, it comes from Cagle or whoever has
the web site. It should have their name on it, not mine.
Let the MUA display the "Return Path" header which will be
verified via MAIL FROM.
Changing the MUAs is a completely unreasonable demand. Changing the
ad hoc forwarding services to honestly describe themselves as such
is a completely reasonable one.
The easy way to address this is to add a flag onto the policy
description:
_spf.verisign.com TXT "IP:10.0.0.1/24 verify=rfc822"
Or equivalent in your favorite syntax.
All we are doing here is listing out the edge mail servers. You can
play whatever games you like but this is where implementers will make
their own decisions. If they want to check 822 headers they will.
Rather than telling the postcard web sites that nothing is going to
change it would be better to tell them how to change in a way that
is going to maximize the chance their mail gets through.
That is the reason that people are putting these records up, they
want to maximize the probability that the email they source gets
through.
Phill