Jim Fenton wrote: > we're in the "treat the message (hint-hint, nudge-nudge) with > prejudice" realm, which is more dangerous than being more > specific, as Scott Kitterman has noted about SPF.
Some folks including me disagree very strongly with this opinion: * SPF is very strict about not dictating any "receiver policy", and in one case (PermError) this strict approach even caused a now confirmed erratum re-inserting the lost extended error code for receivers wishing to reject PermError. * For obvious reasons checking SPF works best at the border MTA in an SMTP session before DATA. Getting a FAIL at this point receivers obviously better reject the mail, otherwise they'd later be forced to drop it (bouncing FAIL is no sound option). * Some folks discussed here under the tag "high value phishing targets" proposed a "DWIM FAIL" introducing "receiver policy" REJECT for this "harderfail" or whatever it is. The proposal wasn't accepted, as it would water down millions of policies with an ordinary FAIL, also of course hoping for a REJECT in (rare) cases of "clueless receiver checked behind his border". * This reasoning is simple, obvious, and valid for SPF, it's not necessarily also good for PRA or SSP. If you want "DWIM FAIL" in SSP go for it, but don't say that it's lacking in SPF. Frank _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
