Alex van den Bogaerdt wrote:
if MS checks against v=spf1 records and this results
in a PASS, they could display "verified". I see no
objection to that, is there?
If they'd check PRA against v=spf1 resulting in a PASS which
shouldn't be a PASS it's the "phishing super-highway". You
just get an accout on an MSA "enforcing submission rights"
(= doing it right, Scott's HARDPASS), then you use a From,
Sender, or Resent-* adress permitting the IP of this MSA in
a v=spf1 policy, and a To: user(_at_)hotmail(_dot_)
The PRA is say the forged Resent-From, it's v=spf1 policy
permits the IP of the good MSA, you have your PASS sailing
right into the user(_at_)hotmail box, all green lights blinking:
"reliable MSA, verified PRA, result PASS, trust me".
This would be handy for the many cases where RFC822_from
equals RFC821_from.
It's handy if you permit it explicitly. v=spf1 is _lousy_
as "anti-phishing" tool (unless a MUA cares to display the
Return-Path), PRA applied on v=spf1 without explicit consent
is dangerous.
I'd be very happy if they restrict themselves to test MFROM
against v=spf1. Adding PRA for those who really want it is
no big deal (opt-in).
Bye, Frank