Hi Marc,
On Thu, Mar 04, 2004 at 10:04:32AM -0500, Marc Alaia wrote:
There are many possible situations where an inbound MX would not necessarily
be authorized to send mail for a domain. In today's environment of hosted
email, hosted spam filtering, etc., the published MX may have no
relationship to the actual sending machine. This is where spf_guess can be
used, but it should be left out of the SPF specification.
To begin with, this issue is basically out of pure SPF, in the sense that it
relates mostly to the MTA policy for filtering mails, not the protocol itself.
Talking about that policy now, IMHO, we should consider always pass-through
emails coming from an MX system for a given domain (counter-example anyone?).
I read the spf draft, but find nowhere a kind of directive for doing so.
If we do block on the basis of non-SPF conformance, we only postpone spammers'
job a couple of months, while breaking a great part of the infrastructure.
I have yet to find a reason for not making the MX assumption.
Remember, we are talking about the case that:
a) sending domain has no SPF record
b) sending domain has MX server
c) email originating from that MX
receiving domain has to make a judgement on a+b+c
(if clause c is not not true, that's another case that requires a "guess").
Fotis