K.J. Petrie (Instabook) wrote:
SPF will only be effective of it gains widespread acceptance.
It's already effective if spammers stay away from forging FAIL-
protected domains. The spammer can simply abuse unprotected
domains. The domain owner will learn very fast how to create
a FAIL-policy, the spammers move on after some time, etc.
Q. RPF needs the DATA to complete before if can perform its tests.
Classic SPF operates before the DATA is requested. Can't we use
RCPT TO: instead?
A. In the example above, RCPT TO: would contain
"myname(_at_)dirtcheapbroadband(_dot_)net", but to look up the RPF record
we would need "example.com".
Yes, assuming that dirtcheapbroadband.net is willing to do such
RPF lookups. You said they're unwilling to offer some Web form
to configure this.
This is in the DATA part of the transaction, in a To: Cc: or
Received: header.
Not reliably for Bcc: cases. And should dirtcheapbroadband.net
start to guess, a lookup for each and every address they find in
To:, Cc:, and a Received: "for"-clause ?
This is clearly less elegant
Putting it mildly, they've no clue that you're any(_at_)example(_dot_)com
They can't start numerous queries hoping to find some RPF, and
if they find one, why should it be your RPF, maybe it's my RPF,
because I'm in the Cc:
IMO the forwarder in your scenario has to be eliminated.
Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735