diff --git a/TODO b/TODO
index b097fe9b2c14410598838236e9b0cdc9a0004579..d094ba11c97c6440305ec84cbb11c6bbccf19184 100644
--- a/TODO
+++ b/TODO
@@ -6,10 +6,6 @@ can be rejected without maintaining valid user lists.
 
 Now that we blacklist IPs for too many bad rcpts, delay SPF until RCPT TO.
 
-Convert DSN to REJECT unless sender gets SPF pass or best guess pass.  Make
-configurable by SPF result with NOTSPAM policy (reject or deliver without DSN).
-Maybe policy should be NODSN - still verify sender with CBV.
-
 When content filtering is not installed, reject BLACKLISTed MFROM
 immediately.  There is no use waiting until EOM.
 
@@ -86,10 +82,6 @@ Whitelisted senders from trusted relay get PROBATION.  Need to extracted
 SPF result from headers - and in the case of mail internal to relay
 (e.g. bmsi.com), supply 'pass' result.  
 
-For selected domains, check rcpts via CBV before accepting mail.  Cache
-results.  This will kick out dictonary attacks against a mail domain
-behind a gateway sooner.
-
 Add auto-blacklisted senders to blacklist.log with timestamp.
 Add emails blacklisted via CBV so that they are remembered across milter
 restarts.
@@ -106,8 +98,6 @@ e.g. verizon.net).
 Allow verified hostnames for trusted_relay.  E.g. HELO name that
 passes SPF.
 
-Table of sendmail macros for documentation.
-
 When do we get two hello calls?  STARTTLS is one reason.
 
 Option: accept mail from auto-whitelisted senders even with spf-fail,
@@ -189,6 +179,16 @@ Need a test module to feed sample messages to a milter though a live
 sendmail and SMTP.  The mockup currently used is probably not very accurate,
 and doesn't test the threading code.
 
+DONE Table of sendmail macros for documentation.  In API docs on milter.org.
+
+DONE For selected domains, check rcpts via CBV before accepting mail.  Cache
+results.  This will kick out dictonary attacks against a mail domain
+behind a gateway sooner.
+
+DONE Convert DSN to REJECT unless sender gets SPF pass or best guess pass.  Make
+configurable by SPF result with NOTSPAM policy (reject or deliver without DSN).
+Maybe policy should be NODSN - still verify sender with CBV.
+
 DONE Add parseaddr test case for 'foo@bar.com <baz@barf.biz>'
 
 DONE Require signed MFROM for all incoming bounces when signing all outgoing