On Sun, May 30, 2004 at 04:02:00PM -0500, Seth Goodman wrote:
I should point out that one of the longstanding goals for SPF was to allow
rejection of forged envelope sender email _before_ DATA. The current
converged SPF/CID proposal blocks anything that gives an SPF result other
than PASS (as we don't yet have a draft, I don't know whether it is MUST or
SHOULD). I have argued in other posts that MUST is the better way to go,
and I still feel that is the case.
"allow for rejection before data" != "must reject before data"
I'd like to make that choice myself, as do many users. Next thing
you know there's spf.rfc-ignorant.org listing people who don't reject ...
(no, I am not against rfci)
If all SPF does is tag suspicious email to use as an additional factor in an
after-the-fact content filter, I don't see that it's worth the effort.
I'm sure it will be possible to create an email that passes, say, SpamAssassin
yet being sent in your name not from your domain. Remember, SPF != anti spam.
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.