Seth Goodman wrote on Thursday, January 11, 2007 12:22 PM -0600:
While the original goal of having all SPF recipients get the same
query result was laudable, recipients are not required to query
both record types, so that is no longer possible.
That was imprecise. I should have noted the original goal was to have
all SPF recipients evaluate checkhost() the same. Transient DNS errors
are not the same across all recipients, so this doesn't apply. I still
think it makes more sense to treat queries for either record type the
same, since SPF does not require recipients to query both.
As to how we treat the SPF result when it comes from HELO as compared to
MAILFROM, they mean different things and a recipient may wish to treat
them differently. SPF fail on MAILFROM with SPF pass on HELO could be a
legitimate forwarded message. When the domain has no reputation, you
have no information. SPF pass on MAILFROM with SPF fail on HELO
indicates an original message, but the domain designates a poorly
configured mailer. When the domain has no reputation, you have a clue
that you don't want the message. This is different from the previous
case, even though both produce a single SPF pass from two evaluations.
Another difference is that if you later decide to whitelist that domain
to accept their mail, it would be only for HELO. This distinction
should remain useful until people stop misconfiguring HELO or SPF gets
explicit scoping.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735