On Fri, 1 Oct 2004, Meng Weng Wong wrote:
The "policy" component is required: it means that the
receiver must have chosen to trust the HELO or SUBMITTER.
The requirement that "policy" must pass keeps out the bad guys.
People seem to have a real hard time thinking in two
dimensions (auth + policy) rather than just one (auth
alone).
SPF is policy framework by default, we don't need to repeat that.
And if somebody is checking SUBMITTER or HELLO record they better be
choosing to trust it!
For algorithm I was working on, I was assuming that if they dont check
HELO or SUBMITTER that is the same as if result of checking is None.
Its possible to make the algorithm more complex by making a difference
between these two (or by making SoftFail also mean something else
depending on results of other policy checks), but I think such
complexities would not be beneficial to making a "Unified" policy
framework.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/