On Nov 30, 2003, at 11:49 AM, Rob Kaper wrote:
Should SPF-compliant MTAs be allowed to send (partial) bounces for
SPF-determined failures?
SPF should be an inter-MTA protocol -- there is no need for this to
turn into a client side interaction (speaking as someone who has been
Joe Jobbed and received hundred of thousands of bounces over nearly a
year).
The default (working) assumption is the sender is permitted. The
alternative is they are attempting to forge their credentials, at which
point they are simply denied - no notification needs to be sent back to
the very person initiating the forgery.
I've been following the list for a few weeks, and am working on a
related research project in the area. If I could make a
recommendation, it would be very helpful to come up with a requirements
document for *exactly* what SPF is designed to do (and not do).
The initial draft was simple to read, understand, and implement. The
latest draft is starting to smell like sendmail, if you catch my drift.
Simple is better when it comes to convincing people to actually roll
out into production. If SPF isn't deployed widely, it won't matter how
clever it all is.
Let's not create a marketing problem on top of the technical one we're
trying to solve.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡