In <200505151738(_dot_)29558(_dot_)bulk(_at_)mehnle(_dot_)net> Julian Mehnle
<bulk(_at_)mehnle(_dot_)net> writes:
Julian Mehnle wrote:
Wayne Schlitt suggested:
| This authorization check SHOULD be performed during the processing of
| the SMTP transaction that sends the mail. This allows errors to be
| returned directly to the sending server by way of SMTP replies.
|
| Performing the authorization after the corresponding SMTP transaction
| has completed faces problems, such as: 1) It may be difficult to
| accurately extract the required information from potentially
| deceptive headers. 2) If the email is forged and the authorization
| fails, then generating a non-delivery notification to the alleged
| sender is abusive and is against their explicit wishes.
Re 1: some systems supply the relevant identities through environment
variables, which _is_ accurate. Thus I'd just say ""
point 1 does not say that it is *always* hard to extract accurate
information, only that it *may* be hard. I think point 1 remains valid.
Re 2: [snip]
This is not a matter of when SPF checks are performed. Instead we should
_generally_ recommend, outside this particular paragraph, against sending
automatic messages to sender identities that have not been authenticated
(through SPFv1 or other means).
I guess I could agree with that.
I propose:
[snip]
You posted your proposal while I was still researching and writing an
message on how to deal with sender policy transitions. Your proposed
wording places most of the burden of a transition on the SPF checker,
which would be "option 3" under my list of ways to deal with this. In
my post, I outline somthing for "option 5" (equal burden).
I'm interested in hearing about which option people think is best.
-wayne