-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of John
Hinton
Sent: Thursday, October 07, 2004 9:46 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Re: [SPF Classic] Policy best practices
should be kept out
So, am I missing something here? Why can't we reject based on no SPF
record? Not at first, but once the bulk of the domains have SPF records.
So, what do you do with "v=spf1 +all"? That domain has an SPF record.
For those of us using shared MTAs, until the MTA providers change their
systems to prevent cross-customer forgery, the best we can get is a NEUTRAL.
SPF pass is very hard to get to unless the MTA is under the administrative
control of the domain owner.
And before you say SMTP-AUTH, that's necessary, but not sufficient. That
just says the MUA is an authorized user of the MTA. It generally says
nothing about what mail from addresses the MUA is allowed to use.
Scott Kitterman