Stephane in
<20041006205749(_dot_)GA3749(_at_)laperouse(_dot_)internatif(_dot_)org>:
The whole purpose of SPF is to check the "real" email address used for
the last introduction of the message. This can conflict with privacy
expectations, for instance for a roaming user.
I'm not clear what you're getting at. What privacy expectations
do roaming users have in the context of spf?
The problem already exists with the Received headers but the advice in
the draft ("Security Considerations") to display the address used in
the 2821 MAIL FROM makes it stronger, IMHO.
Didn't that horse bolt long ago in rfc 1123?
| 5.2.8 DATA Command: RFC-821 Section 4.1.1
|
| When the receiver-SMTP makes "final delivery" of a message,
| then it MUST pass the MAIL FROM: address from the SMTP envelope
| with the message, for use if an error notification message must
| be sent later (see Section 5.3.3).
| IMPLEMENTATION:
| The MAIL FROM: information may be passed as a parameter or
| in a Return-Path: line inserted at the beginning of the
| message.
The same concept was carried forward into rfc 2821 ...
| 4.4 Trace Information
|
| When the delivery SMTP server makes the "final delivery" of a
| message, it inserts a return-path line at the beginning of the mail
| data. This use of return-path is required; mail systems MUST support
| it. The return-path line preserves the information in the <reverse-
| path> from the MAIL command. Here, final delivery means the message
| has left the SMTP environment. Normally, this would mean it had been
| delivered to the destination user or an associated mail drop, but in
| some cases it may be further processed and transmitted by another
| mail system.
--