David Brodbeck wrote:
Then maybe we should say that once the mail is accepted, a
failed SPF check MUST not generate a bounce message. Since
the bounce will likely not go to the sender.
Absolutely.
Maybe. The whole point of the exp= modifier are users doing
something stupid (or incorrect sender policies). If you say
that almost every FAIL is in fact forged, then exp= would be
useless - the spammer knows this already, and the trojaned
machine abused to spew doesn't care about any "explanations"
for a 550. One of several reasons why I don't like exp=.
Actually SPF doesn't work very well if the test is done after
the SMTP dialogue. That's very clear in the draft, but maybe
adding an explicit "MUST not bounce" helps. For publishers
of policies this means "mail may be lost if you or your users
screw up".
Bye, Frank