updated RFC 4408 citation to RFC 7208 and added link in README

[chrislandis]

🗣 Description

This pull request updates the README's RFC 4408 citation to RFC 7208 and adds a link thereto.

💭 Motivation and context

We do not want trustymail documentation (or code) to cite superseded references. RFC 7208 superseded RFC 4408. Resolves #136.

🧪 Testing

After making the change to the README, I pushed the change to my forked repo and could proof-read the text and test the link from there.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• All new and existing tests pass.

[jsf9k]

Thank you for the contribution @chrislandis!

[mcdonnnj]

Before we change the documentation has the code been verified to conform to 7208? RFC 4408 was experimental and there are likely to have been changes in the proposed standard (RFC 7208). If this was originally written against 4408 then before we claim it checks records in accordance with 7208 we should make sure that is the case.

[chrislandis]

Before we change the documentation has the code been verified to conform to 7208? RFC 4408 was experimental and there are likely to have been changes in the proposed standard (RFC 7208). If this was originally written against 4408 then before we claim it checks records in accordance with 7208 we should make sure that is the case.

Great point, @mcdonnnj! In my look at the code (which was not a thorough verification), I did not happen to see any way in which trustymail acted contrary to RFC 7208; however, I did not conduct a full analysis to ensure that there were no missing actions. In other words, to achieve a formal verification, we would need to ensure both soundness (that trustymail acts strictly within the SPF specification, not doing extra stuff related to SPF) and completeness (that trustymail does everything in the SPF specification).

There are various courses of action that we could take from here in support of this verification.

• We could pause this pull request to complete the verification. If we find problems with soundness or completeness, each of those would become its own new issue. Once all (if any) issues are identified and created (but not necessarily resolved), we could advance this pull request.
• Alternatively, we could proceed with this pull request now and create a new issue that tasks trustymail's SPF verification with RFC 7208.
• There may be a different way that is preferable to the CISA Team.