Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
If the mailbox domain has been safely blacklisted, then no confirmation
with respect to the IP address from the SPF records is needed.
RFC 2821 header checking against authentication records in DNS
enables recipients to safely blacklist mailbox domains.
i.e. 100% of messages from a domain pass RFC 2821 DNS checks, and
are spam: the recipient may choose to blacklist the domain.
In the absence of those checks, the recipient can still blacklist
the domain, but has no way of knowing for sure if the messages are
forged, and thus an attack by a malicious third party, who wishes to
disrupt communications between the alleged originator and the
recipient.
Should abusive mail be discovered, it would be unsafe to conclude
the SPF mailbox-domain/IP address confirmation is tenable for
establishing a name blacklist.
Are there reasons why this is true?
Only the IP address has received sufficient authentication for such
a listing, but then this has not improved upon current IP address
blacklisting.
You are stating that your position is that your position is correct.
There are many cases where an MTA is shared.
...
A breach in the mail channel integrity can happen within either the
receiving or sending realm. An SPF blacklisting fails to locate the
accountable entity.
Shared services means shared accountability. If the recipient is
unable to distinguish between a "good" party on a shared MTA and a
"bad" party, then by definition, both parties fall into the same
classification.
Alan DeKok.