On Wed, Oct 18, 2006 at 10:46:49AM +0200, Renaud Allard wrote:
> David Saez Padros wrote:
[ attribution lost ]
> >> That's probably better to actually _do_ callout when spf=pass, because
> >> you are "sure" that one the authorized IPs for the domain has sent the
> >> mail, so you have rights to verify the address exists.
> >
> > yes, but then the tested address is likely to exist so the callout will
> > almost always succeed. If you do the callout when spf != pass you will
> > honour batv (if used by the remote domain) and/or check that at least
> > the remote address exists.
> >
>
> Indeed, but, as mentioned before, some will argue that if the spf is
> false you have no right to use their resources to verify things as it is
> probably a spam. And if spf != pass && spf != false (IE: not defined)
This is a misconception. the fact that, say, a large ISP
publishes SPF records for some set of machines does not
mean that their customers may not send mail via other
servers. If I pay, say, AOL cash money for an AOL email
address, I'm entitled to use it however I like; and in
particular, if their outgoing email servers are broken or
are inaccessible to me at any given moment, then I'm
likely to send email via whatever server I can use, for
instance the outgoing smarthost of the ISP I'm using right
now.
--
``Is there no beginning to your talents?''
(Clive Anderson, to Jeffrey Archer)
