SPF
David Lee
t.d.lee at DURHAM.AC.UK
Mon Aug 16 16:04:28 IST 2004
On Tue, 10 Aug 2004, Alex Neuman wrote:
> Ok... So would a conservative-yet-effective approach be:
>
> 1. Sendmail gets message, checks SPF. If SPF records say mail came from
> unauthorized server, drop the connection. If no SPF available, receive
> e-mail anyways (for now).
> 2. MailScanner gets message from Sendmail, passes message to SpamAssassin
> for processing. SpamAssassin checks SPF records, assign arbitrary negative
> number (say, -2.0) if SPF records check out ok, otherwise process as usual.
>
> Less conservative efforts would range from harsh (assign positive score to
> non-SPF messages when checked by SA) to brutal (drop non-SPF messages at MTA
> level).
There's another subtlety. SPF is not a pass/fail thing. There is also
a "softfail" result:
the message does not meet a domain's strict definition of legitimacy,
but the domain cannot confidently state that the message is a forgery.
MTA's SHOULD accept the message but MAY subject it to a higher
transaction cost, deeper scrutiny, or an unfavourable score.
(The complete SPF result set is: None, Neutral, Pass, Fail, Softfail.)
It goes on (section "Phased Rollout") to say:
A domain might move through these phases by changing its default
response type from "neutral" to "softfail" to "fail".
[...]
When a sufficient majority of its users are SPF-conformant, a domain
SHOULD change its default to "fail". [...]
Hope that helps.
--
: David Lee I.T. Service :
: Systems Programmer Computer Centre :
: University of Durham :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham :
: Phone: +44 191 334 2752 U.K. :
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list