One theme that I have seen repeated on this and the related lists is
the idea that SPF results should be deterministic.
I strongly agree, the SPF result must be consistent.
That doesn't, however, rule out local policies that use the SPF checks
or SPF records to do other filtering. Just don't say the email is being
rejected due to the SPF result.
I agree too. It is important for all implementations to exhibit the same
behaviour when confronted with the same policy record, I retract my
earlier suggestion.
you've described, then they've signed up to be responsible. Then we
go hunt them down and give them the fate the spammers deserve (insert
local policy here).
Yes, we must acknowledge that there will be people who strongly object
to SPF (hi David!) for either technological reasons of for philosophical
reasons.
In the latter case, consider someone who feels that it fundementally
limit where an email claiming to be from their domain is sent from. They
may want to >"opt out" of all the DNS lookups that SPF creates by
publishing "v=spf1 +all" with a long TTL. This is the domain owner's
right to say!
Local policies are our friend.
By which I assume you mean that if someone wishes to publish a policy
that maps to a large segment of the internet, then it's the receivers
right to refuse to accept email from them?
After discussion in our team, we think this is a good idea, and will
almost certainly offer this as an option in our product even though the
SPF module would still indicate a "pass", we plan to augment that pass
with a "scope" value which would be the scope of the passing mechanism
and then futher action can be taken, including a rejection.
It might seem that a local policy could do this when the "offending"
domains are located, but the fact is that many of our customers are
neither computer literate nor mail system administrators, nor
particularly interested in SPF/anti-spam.
They are often simply the person in the office who happened to use
computers before the company "email system" was introduced and sort of
"fell into the job" of being mail administrator, so expecting them to
apply a local policy when one of these domains turns up is not going to
work, and sending automatic updates to them is fraught with
infrastructure & legal problems (not that we haven't considered this).
I'd still like people's feedback on what they _think_ might constitute
an unacceptable portion of the internet. Notwithstanding the power-of-2
issues, I'd expect this number to be fairly large (/20?)
-Gary