[mail-vet-discuss] results should be method specific

[Dotzero]

>
> I'm no expert on senderid or spf, but isn't the pertinent field for
> senderid the PRA?
>
> More broadly, if I got it wrong it only illustrates the problem I have
> with the authres draft giving no guidance... this really needs to be
> spelled out.
>
>                Mike
>

If you don't specify MFROM then the RFC does use PRA. We publish
SPF2.0/MFROM because we specifically don't want someone relying on PRA
for mail purporting to be from our domains.

There are specific attacks where someone can use an arbitrary Sender
field (where the domain doesn't publish a record) to get a neutral on
mail abusing a From domain that does publish SPF records (whether SPF1
or SPF2). This occurs because the RFC says that if you have a Sender
field, that is what you set the PRA to be.