Mathew wrote:
Allow me to recast the numbers from "forgery probability" to "strength of
authorization" - authorization in the sense that the sending server is
authorized by the domain owner to send mail (no SMTP AUTH is necessarily
implied.)
Excellent post because the examples illustrate the utility and benefit.
I have one improvement to add to what Mathew wrote. There is at least one case
in SPF syntax where the "SPF authority" Matthew proposed will not apply, for
example for the "all" mechanism, because that is a fall through case and the
"sending server" is not known by the owner when writing the SPF rule.
In that case, I was proposing the percentage represent the confidence that the
owner of domain has that his users will not fall through to the "all" case. So
if the owner has obtained 90% compliance, then the "SPF authority" for "all" is
10%, i.e. that only 10% chance of the fall through being non-forgery. Note my
point in previous post that "absolute" is not necessary, because probability
correlation is relative, so this is a reasonable way to convey owner's apriori
confidence (data) in "all" to the recipients.
I agree with everything else that Matthew wrote. He said it much better than I
did before :)