Tony Finch wrote:
My point is that nobody has properly thought through how to
deploy SPF on anything other than toy domains in such a way
that it can safely reject email.
NAK. Counting from RMX draft one there have been 18 months to
think it through. You're not responsible to save the world
from the intended effects of SPF. If you reject MAIL FROM me,
the broken forwarder will note the problem, and it will inform
me with a bounce.
Then it's my problem, not your problem. I can discuss it with
postmaster(_at_)ignorant(_dot_)forwarder(_dot_)example, and I can discuss it
with stupid(_dot_)user(_at_)ignorant(_dot_)forwarder(_dot_)example (e.g. using
one of
my other addresses).
Then it's their problem. I'd prefere a simple 551 solution,
where I get the real address of your user, because SMTP was
never meant to send mail via multiple independent MXs - what
a waste of time and band width. SPF fixes this abuse of SMTP.
(Note multi hops != multi unrelated MXs)
They can also use one of the remailer schemes. They can join
trusted-forwader.org (if it's a really important ignorant).
In the latter case you'd add trusted-forwarder.org once to
your white list configuration, and be done with it.
Finally they can ask you for your help, begging for a local
white list entry on your system. Only in this last case it's
really your problem. And you're free to ignore it, because I
accept the consequences of my sender policy with "-all".
Just do it. Or leave it alone. Don't try to save the world,
"we" (tinw) already have Meng for this position. Bye, Frank