Seth Goodman wrote:
MSAs could use this trick, if they wish to identify plausible (no FAIL)
envelope senders.
Sure, but the MSA needs to have a list of acceptable return-path
domains, and preferably a list of mailboxes with their required
authentication credentials, regardless of what external domain owners
publish.
Not necessarily, the famous "enforced submission rights" in RFC 4409
are only an OPTION. Any MSA "MUST" (in 4409) have some kind of AUTH,
to identify users AUTHorized to use the MSA. That could be anything
from SMTP-after-POP over RADIUS to SMTP AUTH (2554bis).
Which Return-Path AUTHorized users are permitted to use can be a very
different question. SPF PASS is a possible solution to figure it out.
Probably not good enough for op=auth, for that you'd really need a
list. Or anything with the same effect, a big ISP could just demand
that users have to use the MAIL
FROM:<their(_dot_)mailbox(_at_)this(_dot_)isp(_dot_)example>
Since you need that list anyway to keep you from open relaying, SPF
checking is redundant for this purpose.
IMO it's s/Since/If/
Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735