--Roger Moser <Roger(_dot_)Moser(_at_)pamho(_dot_)net> wrote:
In section 3 of the specifications it says:
Error: indicates an error during lookup; an MTA MAY reject the
message using a transient failure code, such as 450.
I think "MAY" should be replaced by "SHOULD". Otherwise a spammer could
simply use a domain name (like bunita.net, elevation-tour.net or eguo.com)
where looking up the TXT record fails, and the MTA's would accept the
spam.
This might be a non-issue, since most mailers will look up the domain using
A, MX or both, and 4xx if that fails. If A and/or MX works, TXT is
unlikely to fail (I count NXDOMAIN, nonexistent, as different from "fail" -
NXDOMAIN means a successful search that returned 0 matches from an
authoritative source)
HOWEVER, on thinking about this a bit more, if we are serious about
stopping phishing/joe-job email, I can see some value in setting this to
SHOULD. If there are any popular SPF clients that let the crap on through
when the nameservers are all down, then we may be unwittingly encouraging
people to DDOS/otherwise attack the name servers so they can get their
phishing attempt on through. If an attack brings down the nameservers, and
that just delays mail coming from that domain, that provides less incentive
for spammer/scammer to attack nameservers.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>