Second, I believe SPF records can be spoofed
Only to the extent that any DNS record can be spoofed.
use in a disposibal manner.
In the sense that you can create any SPF entry you want... for your own domain. I could set one up with "+all" indicating that mail sent via any server on the Internet using my domain should be considered valid. I could buy up 100 disposable domains and put SPF on all of them.
That's why an SPF pass was never intended to bypass filters by itself... but it can be used to decide whether an address is reliable enough to check it against a whitelist.
Within the SpamAssassin scoring paradigm:
whitelisted domain without SPF = no rule triggered whitelisted domain with SPF pass = apply nice rule & subtract points whitelisted domain with SPF fail = apply forgery rule & add points
(I'm assuming that's how the feature is to be implemented, because that seems to me the most reasonable way to do it.)
-- Kelson Vibber SpeedGate Communications <www.speed.net>
