On Mon, Aug 23, 2004 at 04:35:20PM -0700,
Daniel Quinlan <quinlan(_at_)pathname(_dot_)com> wrote
a message of 18 lines which said:
all a spammer/phisher needs to do is fake their email to come from
"billing.victim.com" or some other undefined host.
...
It may be sufficient to state that an implementation MAY fail or
softfail in check_host() domain if no SPF2, MX, or A record exists.
IMHO, every sensibly managed MTA already refuses email from unexisting
addresses (smtpd_sender_restrictions = reject_unknown_sender_domain in
Postfix), so I do not see this as an issue.
The lack of a MX or an A or an AAAA (meaning the message is
unreplyable) is a separate error (which is already addressed by
implementations).
[It has already been discussed on the spf-discuss list.]
The only thing to change should be to ask the MTA authors to allow the
testing of "unknown_sender_domain" to be performed on every address
used by the PRA algorithm.