As a frequent joe job and virus victim, I would be very pleased to see
a proposal go forward that would allow mail-from checking. However, I
have two concerns.
First, it would need to be clear how multiple checks should interact
when receiving sites perform multiple checks. In particular, it must
be the case that a site checking both mailfrom and pra should always
reject mail when mailfrom fails (even if pra passes). This might be
as simple as saying if any test fails, the message is considered to
have failed.
Second, if we just go forward and do this with the minimum amount of
change necessary to the documents, I fear we may lose an opportunity
to do something better. In particular, if the idea is that sites may
wish to do multiple kinds of checking, it would probably be very
useful to have access to the envelope sender from within the PRA
check.
For example, bank.com may wish to say that if the PRA is bank.com, the
envelope sender should be bank.com or outsource.com (which could then
be enforced with mailfrom).
This would require a new macro for the mailfrom domain (%{m}?), and
would also benefit greatly from some kind of string comparison
mechanism--maybe eq:string1:string2. You'd want to be able to say
something like:
+eq:%{d}:%{m} +eq:outsource.com:%{m}
in your /pra record. It's possible to achieve something similar with
the exists: mechanism, but it requires more DNS traffic.
That said, since since both technical and legal concerns make the PRA
not useful to me, I guess I don't really care very much about this.
I'm basically happy with SPF-classic, and view your proposal as a way
to continue using SPF-classic while just changing "v=spf1" to
"spf2.0/mailfrom".
Perhaps the point is I'd be sympathetic to anyone who asked for a
little more time to explore the possibility of cross-scope mechanisms.
David