Use of deny matches and +all

Somebody asked about whether deny matches would be found on anything 
other than all. I think so -- consider the case of a domain like 
aol.com. It is used by lots of people, who post normally from AOL 
servers, but sometimes from random addresses.
How about this for a record:

      v=spf1 +mx +a:outbound-mail.aol.com -exists:%{ir}.bl.spamcop.net +all

I.e. allow all mail sent from AOL servers. If not from AOL servers, then 
drop it if it is blacklisted, otherwise allow.
This is a reasonably safe record, and probably would allow many ISPs to 
get started fairly quickly.
It raises a nasty issue: ccurrently RBLs can provide textual information 
about why the block is in place. It is not clear how to return this 
information in the above case. Maybe, if the failing mechanism is 
'-exists' then a TXT lookup can be performed to get text. Hmm.......
Philip

--
Philip Gladstone
* Check out the live pondcam at http://pond.gladstonefamily.net

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡

smime.p7s
Description: S/MIME Cryptographic Signature