> > What's "hardcore" about rejecting mail from addresses
> that are in
> > violation of published SPF records?
>
> The interesting question about any individual piece of mail
> is, ``does the addressee want to receive it?'', not,
> ``through which server/s has it passed, and are they
> controlled by the owners of the sending domain?''. SPF may
> tell you the answer to the second question, in some cases;
> this may give you evidence about the answer to the first, but
> you certainly can't in general determine the answer to the
> first question from the answer to the second!
By that definition, nothing generally satisfies the first question
except for the addressee accepting all mail and making the determination for
themselves. I guess that makes administration much easier; no need for spam
or malware analysis!
I maintain that if an administrator for a domain has taken the time
and effort to publish SPF records for the servers authorized to deliver mail
as their domain, then it's perfectly legitimate to reject mail from
non-authorized servers.
Certainly there are situations where it's not possible to reject at
SMTP based on the sender's IP address (ie., you ETRN/fetchmail from another
server), but for fully connected sites, I don't see a problem rejecting
messages from violating servers.
I don't see it as any more "hardcore" than if someone were to
complain that they couldn't receive messages I tried to send them because
they had their MX records pointing to incorrect servers.
Chris