...... Original Message .......
On Fri, 13 May 2005 16:36:58 -0500 wayne <wayne(_at_)schlitt(_dot_)net> wrote:
I did not apply this one. As discussed on #spf, Chuck feels very
strongly about requiring SPF being done during the SMTP transaction
and not during later processing, such as SpamAssassin and other
filters are doing.
I'm interested in opinions from others.
In theory I suppose Chuck is right. That's the best, most reliable, lowest
risk way to do it. It is not, however the SPF Classic way to do it.
IMO, the SA 3.0 implementation is the one that worries forgers the most.
Not everyone will be able to do SPF checking on their border MTA during
SMTP time. Doing it later has it's complexities, but we shouldn't exclude
those who can manage it.
If we want a rule that says SHALL NOT bounce based on SPF results after the
SMTP session is closed, I wouldn't mind that (I'm writing this on my phone
while waiting for my 2 year old to fall asleep, so checking the current
draft is non-trivial).
Scott K