There's no need to check SPF when you're going to reject the message
based on bad recipient addresses, bad HELO information, local blacklists,
or accept it based on local whitelists, etc.
The SPF check has to be done first, or you will pass a message just because
it claims to be from aol.com. I think what you are suggesting might work
as long as spammers continue their current practice of ignoring SMTP
compliance, but very soon we can expect spam to have perfectly formed
headers and legitimate, non-blacklisted domains.
We need to make plans based on what spammers are likely to do, not just
what they are doing now.
-- Dave
************************************************************* *
* David MacQuigg, PhD * email: dmq'at'gci-net.com * *
* IC Design Engineer * phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* * 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. * Tucson, Arizona 85710 *
************************************************************* *