--Seth Goodman <sethg(_at_)GoodmanAssociates(_dot_)com> wrote:
a) MSA immediately rejects, with explantation, any message where the
highest of From:/Sender:/(newest)Resent-From: does not match
return-path. This would be ideal, though I don't know if all MUA's can
set return-path properly. This approach avoids all ethical and legal
problems. If the explanation returned included web links to clear
instructions on how to correct the setup in each of the common MUA's,
service calls would be reduced, but not eliminated.
Greg Connor <gconnor(_at_)nekodojo(_dot_)org> wrote:
I would suggest modifying this to say "rejects any message where the
domain of the most recent From:/Sender:/(newest)Resent-From: does not
match the domain of the return path." Adding "domain of" allows
things like SES/SRS or VERP to work.
--Ralf Doeblitz <list+spf-discuss(_at_)doeblitz(_dot_)net> wrote:
NACK. Let the MSA sort put which addresses the submitter may use. For
something like VERP ans SES/SRS there should be regular expressions that
match login to allowed adresses.
A very good point, one which I didn't think through completely at first.
In some cases the auth user will own a single email address in the ISP's
domain, and in other cases the auth user owns the whole domain.
I think this underscores the point that the MSA should be able to sort out
who owns what address, and other MTAs that are not the MSA should not be
trying to match them up. SPF is probably not the best tool for this, and
there are number of other techniques that would work, if ISPs would just
spend the time to correlate return addresses to auth users.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>