On Thu, 2004-05-06 at 13:07, rbarclay(_at_)comcast(_dot_)net wrote:
<snip>
The first is the one described in the charter, and is the most
narrowly defined. At its most basic level it is "a receiver
knows mail from domain x is valid if it comes from one of a
set of MTA's identified in a DNS record".
To quote from the charter:
"The primary current use case for this facility is to allow recipient
MTAs to confirm that peer MTAs' actions are authorized by
specific domains or networks. ... the first task of the working
group will be to establish which of these identities should be
associated with MTA authorization. Once this decision has been
reached, it will limit the scope of further activity in this working
group, and the chairs will rule out of order discussion related to
schemes which use other identities as the basis of authorization."
It is not mail from domain X but rather an MTA from domain X. The
difference is slight, but significant. A small change to SPF would
allow clarity respecting the domain administrating MTA policy with a
clear authorization hierarchy. Otherwise, each message may change the
MTA identification based on a list of comparisons where the helo domain
is not paramount. There was some agreement the helo/ehlo identity was
benign and could be kept relatively static. It should be able to create
the smallest superset.
-Doug