If it were up to me, "+all" would be considered an invalid spf record.
This is what a spammer would do.
Guy
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Scott
Kitterman
Sent: Thursday, October 07, 2004 10:15 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Re: [SPF Classic] Policy best practices should be
kept out
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of John
Hinton
Sent: Thursday, October 07, 2004 9:46 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Re: [SPF Classic] Policy best practices
should be kept out
So, am I missing something here? Why can't we reject based on no SPF
record? Not at first, but once the bulk of the domains have SPF records.
So, what do you do with "v=spf1 +all"? That domain has an SPF record.
For those of us using shared MTAs, until the MTA providers change their
systems to prevent cross-customer forgery, the best we can get is a NEUTRAL.
SPF pass is very hard to get to unless the MTA is under the administrative
control of the domain owner.
And before you say SMTP-AUTH, that's necessary, but not sufficient. That
just says the MUA is an authorized user of the MTA. It generally says
nothing about what mail from addresses the MUA is allowed to use.
Scott Kitterman
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com