Stuart D. Gathman wrote:
I'm talking about when B in the above scenario accepts the
mail, then sends a DSN to sender after discovering belatedly
(via late SPF check) that it should have rejected it after
all.
Technically B behind A (the A in 5.3.6a :-) is almost the same
as B' behind B - just don't check SPF behind your border, it
often won't work as expected (and if you do it anyway use it
only for tagging). The spec. already has tons of MUSTard and
SHOULDs about this issue, IMO it's clear. Late SPF checks are
a dubious idea for obvious reasons.
But they have a nice side-effect, the spammers are unable to
determine who does it anyway (e.g. using SA 3.x). and because
they can't be sure they can't abuse FAIL protected addresses
against targets where SPF FAIL is normally not rejected. Bye
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com