In <8117577(_at_)pamho(_dot_)net> "Roger Moser"
<Roger(_dot_)Moser(_at_)pamho(_dot_)net> writes:
The latest specification says:
2.2.2. Lookup
...
If the domain does not exist (NXDOMAIN) an SPF client MUST return
"unknown".
Unknown: indicates incomplete processing: an MTA MUST proceed as if a
domain did not publish SPF data.
This will make the spammers and virus authors happy. Now they simply have to
use a return-path with an non-existing domain, and their spam or virus will
be delivered.
Besides the reasons that Meng and Andy mentioned, I'll add this reason
on why I think SPF shouldn't fail on NXDOMAIN:
I think that SPF gets a lot of "moral authority" to reject email
because that is what the domain owners have requested. I think we
must accept that some domain owners just don't like SPF and don't want
to use it. If SPF rejects email due to an NXDOMAIN within the zone of
authority of a domain owner that doesn't like SPF, we have lost a lot
of the "moral authority" for what we are doing.
So, I think that rejecting email because of the NXDOMAIN, or the lack
of an MX record is just fine, but claiming it is SPF that made this
decision hurts us.
-wayne