OT: SPF was Re: Annoying!!!

[Steve Freegard]

Brent Addis wrote:
> Many companies drop email coming from hosts that aren't listed as an 
> address in a valid spf record, so they don't bounce back to you. Of 
> course they still accept mail without any spf record assigned to it, but 
> i'm sure that'll stop oneday.
> 
> http://www.openspf.org/wizard.html?mydomain=&x=0&y=0 has a wizard for 
> it. It gets inserted into your dns records.

Let me go on record saying that I *hate* that wizard...

It defaults records to ~all (if SPF record doesn't match return 
SOFTFAIL) or ?all (if SPF record doesn't match return NEUTRAL), it does 
*not* give the option of -all (if SPF record doesn't match return FAIL) 
at all.

The only time you can *safely* reject mail at SMTP time is if the SPF 
result == Fail (-all), all other states e.g. softfail, neutral and pass 
are only useful for more expensive content checking such as SpamAssassin...

SPF Pass - can be useful when used with 'other' tests, although I've 
seen a lot of spam domains set-up SPF records with a '+all' (return Pass 
if the SPF record doesn't match) that try and take advantage of this. 
Because I think '+all' is both useless and evil, I downgrade this to 
'Neutral' on my systems...

> Be warned though, if you have remote users, they will have to use a 
> server within your spf realm for sending mail.

Yes - especially true if you set -all or ~all in your SPF record, if you 
use ?all then it really doesn't matter.

> I would recommend turning off the catchall too.

Yes - catch-alls are evil.

On my spam trap I set a SPF record of 'v=spf1 mx -all' and reject any 
SPF fail at SMTP time, currently I don't get brilliant results with 
this, but I do get some:

Out of 49,630 senders - 1,331 were rejected due to SPF fail, most of 
these I suspect were due to spammers trying to send in junk by forging 
my own domain.  These numbers might be higher if I reduced some of the 
other pre-DATA rejections on this box.

Cheers,
Steve.