Andrew Hodgson wrote:
My argument being that SPF should _not_ be involved in any of
these steps, which is clearly not happening at present, going
on some recent articles I have seen.
Hi, that's a "well-known" problem (in de.admin.net-abuse.news)
A poster should not be concerned with _technical_ problems of
his news server, like an invalid address of the moderator. So
the "correct" behaviour is article -> server (NEWS-From user),
server -> moderator (MAIL FROM news.admin, 2822-From user),
finally the moderator approves and injects it at his server.
Or the moderator rejects it (mail back to 2822-From).
This procedure has some variants, but essentially there's no
problem with SPF. It doesn't work with Sender-ID, because the
Sender: (if any) is copied from the article, and it does not
match the MAIL FROM news.admin. But that's only one of many
Sender-ID bugs, Sender-ID is FUBAR and broken by design.
In one case there's a problem with SPF: the lazy news.admin.
This guy uses MAIL FROM user instead of MAIL FROM news.admin.
Now if the user has a SPF sender policy, and if the moderator
(or rather his border MTA) does a SPF check, then the IP used
to submit the article from server to moderator probably FAILs.
Possible solutions:
1 - Ask your news admin to fix his procedure. The MAIL FROM is
incorrect, it's _his_ problem if some moderator addresses
configured in his server don't work, it's not your problem.
2 - Ask him for the IPs used for his MAIL FROM user "forwards",
and add these IPs to your sender policy (that's a hack).
3 - Find a less ignorant news server, or use another address
(not protected by SPF).
4 - Submit your article directly by mail to the moderator. It
is often hard to find this address, but in some cases it
might be a workaround (e.g. nanas)
Sorry for the bad news, bye, Frank