Not so sure it sounds like a good idea to let the sender decide which algorithm
will be used to evaluate their message.
The major advantage of PRA is that it allows inspection of internal headers.
This is supposed to be an advantage because the typical end user sees those
headers and not the envelope headers. Verifying internal header PRA is
supposed to make successful phishing more difficult.
Suppose I am Phred Phisher operating out of a server in Elbonia, where human
laws can not touch me. The domain is phisher.com and the sending IP is
123.123.123.123
I want to send a phishing message to SPF checking recipients. I know I will
get bounced if phisher.com does not have an SPF-whatever record that translates
to 123.123.123.123. So, do I publish "v=spf1 ip4:123.123.123.123 -all" or
"v=marid1 ip4:123.123.123.123 -all" ?
I think I choose the former, knowing that the RFC compliant receiving MTA will
ignore the fact that my internal headers all read
president(_at_)bankofamerica(_dot_)com
Am I mistaken here?
Mark Holm