Douglas Otis wrote:
there are ways to prevent the SPF record from being
discovered from sub-domains negating supposed spoof
protections.
What are you talking about ? If your domain is an.example,
and your users use MAIL FROM:<user(_at_)an(_dot_)example> via your MSA,
which says HELO msa.an.example, and if you have SPF sender
policies "v=spf1 a:msa.an.example -all" for an.example and
"v=spf1 a -all" for msa.an.example, where's the problem ?
there is no way to know if the recipient of a message from
such an SPF-domain will be forwarding the message.
Yes, the "S" in SPF stands for "sender policy". As soon as
the receiver does interesting things they are his business.
If the receiver checks SPF at the wrong place resulting in a
FAIL and reject, then he should fix his routing, or find any
other solution for his problems, the sender didn't cause it.
Bye, Frank