I propose to start using it like this:
If SPF "pass"es a message, I'll assume that it's either from an easily blacklistable domain which I will blacklist and stop, or it's from a real person.
If SPF "fails" a message, I'll assume the envelope is forged and drop it.
If SPF doesn't know (returns "Unknown") I'll challenge it as usual.
This can be actively checked using a python package (spf.py) or better yet, just be reading the Received-SPF header on a server whose MTA implements SPF. I'll just check for that header in my incoming filter for now, as soon as I get this going, but it may be nice to make it easier for users to do this, or at least put up a FAQ once I've got the bugs out.
In general I think use of SPF should be encouraged as it looks to me like a nice addition to SMTP which will reduce email address forgery, reducing both false challenges to unsuspecting victims, and also reducing the number of bounces I get because some spammer forged my address.
What do you think?
-- Jim Ramsay
_________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
