Dennis Willson <taz(_at_)taz-mania(_dot_)com> writes:
My vote is authorized as well.
To me, authentication implys proof that the sender is who they say
they are. I use certificates to sign any email that I need to
authentication a specific sender. SPF doesn't authenticate the
sender or even the domain. It only indicates that the MTA in
question has permission (authorization) to send email from a
specific domain.
In my SPF records I indicate what MTAs have permission (are
authorized) to send on my domains behalf. If someone receives an
email from one of my domains that gets an SPF FAIL I expect them to
believe and treat the email as an absolute forgery. Also the only
assumption I make on receiving an SPF PASS is that it came from an
MTA that has permission (is authorized) to send on their behalf, but
I don't assume it's not forged.
That sums up my position and views as well. I give far more weight to
a 'fail' than a 'pass' in that it indicates that the mail is
definitely a forgery, with a 'soft fail' indicating that it is
probably a forgery but may be genuine.
When I published SPF records the purpose was to try and prevent/cut
down on forgery and joe-jobs.