In section 5.3, this specification assumes all SPF checking will be done
at SMTP time which is not realistic. Some examples: some
implementations may retest a message later to either verify Sender-ID
results, because the load was too high when the message was received,
because the SPF checking was done after-SMTP (SpamAssassin).
This section should also leave open other authentication methods such as
POP before SMTP, SMTP AUTH, etc.
In addition, when done at SMTP time, other actions may be desirable on
the MTA such as a temp fail, throttling, teergrubing, etc.
I recommend changing the paragraph to read:
An SMTP server receiving this result SHOULD NOT treat the message as
authentic. However, it MAY treat the message as authentic or not
authentic based on other authentication methods. If the message is
rejected during the SMTP session, the SMTP server SHOULD reject the
message with a "550 5.7.1 Sender ID xxx - yyy" SMTP error, where
"xxx" is replaced with the additional reason returned by the
check_host function and "yyy" is replaced with the explanation string
returned by the check_host function.
Section 5.5 has the same assumptions, but because "MAY" is used there,
it's not an issue for implementors.
--
Daniel Quinlan
http://www.pathname.com/~quinlan/