"Jonathan Gardner" asked:
Discussion with Scott Kitterman and others has brought to my attention some
misunderstandings. In particular, what does an SPF PASS result really mean?
...
Any other options? Any ideas?
Two questions to be answered:
1) Is this MTA authorised to send mail on behalf of this domain?
Solution: Use SPF PASS as currently formulated.
2) Did the MTA verify that the mail was submitted to it by someone authorised to
send on behalf of that domain?
I suggest we should introduce a new assertion by the MTA that id did indeed
validate the origin. Put this in a new RFC 822 header or as an extension to some
existing header.
It is now for the client to look at the two pieces of information and make a
decision about the authenticity of the message.
This means that the roll-out of SPF and of SASL are not mutually dependent.
I would recommend giving the second item of information its own RFC and name /
abbreviation, rather than treating it as "the MTA ought to implement SASL as
well" as part of the SPF RFC .
In some situations, it would be a useful additional feature in its own right,
independent of its use alongside SPF.
Chris Haynes