It has been argued in SPF circles, that if you receive a message
which the (purported) sender's policy declares to be a hard failure
(-), the message is _proven_ to be a forgery, an unauthorised
re-transmission, or whatever.
If the policy is only "-all", i.e., this domain sends no mail at all,
then the policy is credible. If the policy is anything else followed
by -all, it's not. One of SPF's many problems is that it posits a
model of the e-mail world that is a lot simpler than the real world.
In the real world, there are whole lot of remailers and forwarders,
and no matter how desperately some domains might want to argue that
nobody's allowed to forward, etc., those arguments are about as
persuasive as the boilerplate likely found at the bottom of their mail
that says "if we sent you this mail by mistake you must hand deliver
it back to us or go to jail." People want their bank statements or
whatever, even if the address they give to the bank is their permanent
forwarding address from their alma mater.
I do agree that bounces vs. rejects are an increasing problem, and
I'm having trouble figuring out if there's any way I can do bounces
reasonably for the fraction of the mail here for which I can't tell
if it's deliverable at SMTP time.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com