...... Original Message .......
On Mon, 16 May 2005 17:17:03 +0100 "Chris Haynes"
<chris(_at_)harvington(_dot_)org(_dot_)uk>
wrote:
snipped a long discussion here.
As I say, this is not a proposal for incorporation into this current
spec., but
I thought I'd write it up now, while it's in my mind. Without something
like
this, I firmly believe SPF testing should only be recommended during the
SMTP
transaction.
Chris Haynes
Although there are a lot of reasons to prefer SPF checking during an SMTP
transaction, it seems to me that the proper concern for the validity of an
SPF record over time is the amount of time since the message was sent.
There are sequences of SMTP transactions that can stretch over days. In
terms of time phasing, the difference between testing a record in an SMTP
transaction and an SA check run post-data, but on the same box appears to
me to be a small detail that is completely swamped by larger issues.
All the spec needs to say is that obsolete mechanisms shouldn't be removed
until one is reasonably sure all mail that was sent using the MTA relying
on that mechanism would have been delivered. Receivers should not rely on
SPF records continuing to be accurate long after mail has been received.
If we need to quantify 'reasonably sure' and 'long', then we do it in a BCP
after the RFC is done.
Scott K