Frank Ellermann <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> writes:
Probably MUAs should be modified to display the PRA. As long
as the definition of PRA includes "must match the MAIL FROM
(Return-Path)" it can be done offline without any SPF tests.
The classic Received-SPF header could then be used to further
identify a "verified" (SPF PASS) vs. "unverified" (else) PRA.
While I like that idea very much, I am afraid that it might require an
additional step. The problem comes from MTAs which do *not* perform
the SPF test. The spammer could include a "Received-SPF: pass" in the
SPAM email. So, it would have to be mandatory for MTAs to remove any
pre-existing Received-SPF: header(s) whether or not (and especially
if not) they perform SPF checks. I am afraid that I do not see that
happening any time soon.