Scott Kitterman wrote:
I have recently discovered that megapathdsl.com checks all mail
(inbound and outbound) for SPF. They then apply the Received-spf
header. They only reject inbound failures.
Foremost, a "Received-SPF:" header should not be added as a result of an
_outbound_ SPF check. The header name kind of implies that.
Now one might assume that receivers would ignore Received-SPF headers
applied by previous MTAs. That is not always correct.
In the first place, only receiver _MUAs_, not MTAs, should care about the
"Received-SPF:" header. Then, a receiver MUA should look at only those
"Received-SPF:" headers of which it is absolutely sure that they have been
genuinely added by the receiving MTA. This is usually only the single
topmost header, _if_ the receiving MTA adds such a header at all.
There is no point in "blindly" looking for any "Received-SPF:" headers in
a received message, not knowing whether the receiving MTA actually added
those. This might be a sloppiness in SpamAssassin and similar tools (I am
not sure because I don't use SpamAssassin).