In <200505141427(_dot_)j4EERRZ2063686(_at_)asarian-host(_dot_)net> Mark
<admin(_at_)asarian-host(_dot_)net> writes:
I would just drop the entire last paragraph of section 2.4.
I think that it is important to leave the last paragraph in because it
gives reasons why you SHOULD perform the SPF check during the SMTP
transaction. I think it could, however, do a better job of making
that point. In particular the last paragraph starts out with "oftware
can also perform the authorization after the corresponding SMTP
transaction has completed."
I've been playing around with the last paragraph, and section 2.4 now
ends with this:
This authorization check SHOULD be performed during the processing of
the SMTP transaction that sends the mail. This allows errors to be
returned directly to the sending server by way of SMTP replies.
Performing the authorization after the corresponding SMTP transaction
has completed faces problems, such as: 1) It may be difficult to
accurately extract the required information from potentially
deceptive headers. 2) If the email is forged and the authorization
fails, then generating a non-delivery notification to the alleged
sender is abusive and is against their explicit wishes.
Again, I'm kind of playing around with this, I'm really not set on
this wording. Comments are very welcome. I was very tempted to point
out that bogus bounces can (now) be reported to spamcop and can get
your MTA listed on their DNSBL. ;-)
-wayne