Protocol & Core
There is no security advice for using random source ports for DNS
queries reaching the Internet.
There is no advice regarding the potential presence of transparent
inception of outbound SMTP traffic by ISPs.
There is no advice waring against the use of "?all" in the case of
shared outbound SMTP servers.
There is no advice for the use of "+all". Jim Lyon explained this will
lead to bad reputations. This implies the mailbox domain, used to
resolve the MTA address, is also being used to establish reputations,
even when the MTA is not authorized!
There should be advice warning against establishing reputation
information when the MTA address has not been authenticated, or when the
SPF2 record uses "?all". It must not be presumed all MTAs check for the
SPF2 permissions, or that the outbound MTA is not shared, nor can this
checking and sharing be verified.
There should be a caution that prohibits reputations based upon
non-authorized MTAs.
There should also be a warning for "?all" when the outbound path is
shared. This sharing will "promote" mail from other domains as being
fully validated and may lead to false assumptions with respect to the
recipient, when the Mailbox domain is used to either obtain or record
this information.
There should be advice that only the IP address should be used to check
reputations and to base complaints, as the Mailbox domain has not been
adequately authenticated while it can not be presumed all MTA servers in
the path of the message performed the requisite mail channel checks and
that the MTA is not shared with other disparately administered domains.
Don't limit the scope of the SPF record to just PRA plus others. Leave
the record open to any scope that may exclude PRA.
The use of exists and ptr record types adds a burden the recipient may
not wish to endure. There should be a warning that this type of record
may be rejected.
-Doug