David Lee t.d.lee at DURHAM.AC.UK
Mon Aug 16 16:04:28 IST 2004

On Tue, 10 Aug 2004, Alex Neuman wrote:

> Ok... So would a conservative-yet-effective approach be:
> 1. Sendmail gets message, checks SPF. If SPF records say mail came from
> unauthorized server, drop the connection. If no SPF available, receive
> e-mail anyways (for now).
> 2. MailScanner gets message from Sendmail, passes message to SpamAssassin
> for processing. SpamAssassin checks SPF records, assign arbitrary negative
> number (say, -2.0) if SPF records check out ok, otherwise process as usual.
> Less conservative efforts would range from harsh (assign positive score to
> non-SPF messages when checked by SA) to brutal (drop non-SPF messages at MTA
> level).

There's another subtlety.  SPF is not a pass/fail thing.  There is also
a "softfail" result:

   the message does not meet a domain's strict definition of legitimacy,
   but the domain cannot confidently state that the message is a forgery.
   MTA's SHOULD accept the message but MAY subject it to a higher
   transaction cost, deeper scrutiny, or an unfavourable score.

(The complete SPF result set is: None, Neutral, Pass, Fail, Softfail.)

It goes on (section "Phased Rollout") to say:

   A domain might move through these phases by changing its default
   response type from "neutral" to "softfail" to "fail".
   When a sufficient majority of its users are SPF-conformant, a domain
   SHOULD change its default to "fail".   [...]

Hope that helps.


:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list