Shevek <ietf-mxcomp(_at_)anarres(_dot_)org> writes:
The original design of SPF/Classic, which is now the design of
Unified-SPF/Mail-From was intended to prevent this case. It is clear to
see that the design would be successful in this aim.
It is a source of increasing disappointment to me that this working group
has turned away from these technically sound proposals in favour of more
complex, less technically sound, and less clearly directed proposals which
do not have the capability to prevent this relaying.
I agree.
But maybe there is room for both. First perform the SPF Mail-From
checks (to verify the mail comes from the sender domain it claims), so
that any subsequent bounces are not sent to innocent parties, and only
if these pass continue to the 'responsible sender' checks to ensure
that the RFC2822 'sender' is compatible with the MTA which originated
the mail to detect phishing etc.