I'm no expert on senderid or spf, but isn't the pertinent field for
senderid the PRA?
More broadly, if I got it wrong it only illustrates the problem I have
with the authres draft giving no guidance... this really needs to be
spelled out.
Mike
If you don't specify MFROM then the RFC does use PRA. We publish
SPF2.0/MFROM because we specifically don't want someone relying on PRA
for mail purporting to be from our domains.
There are specific attacks where someone can use an arbitrary Sender
field (where the domain doesn't publish a record) to get a neutral on
mail abusing a From domain that does publish SPF records (whether SPF1
or SPF2). This occurs because the RFC says that if you have a Sender
field, that is what you set the PRA to be.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html