OT: SPF was Re: Annoying!!!
steve.freegard at fsl.com
Wed Nov 22 10:29:24 GMT 2006
Brent Addis wrote:
> Many companies drop email coming from hosts that aren't listed as an
> address in a valid spf record, so they don't bounce back to you. Of
> course they still accept mail without any spf record assigned to it, but
> i'm sure that'll stop oneday.
> http://www.openspf.org/wizard.html?mydomain=&x=0&y=0 has a wizard for
> it. It gets inserted into your dns records.
Let me go on record saying that I *hate* that wizard...
It defaults records to ~all (if SPF record doesn't match return
SOFTFAIL) or ?all (if SPF record doesn't match return NEUTRAL), it does
*not* give the option of -all (if SPF record doesn't match return FAIL)
The only time you can *safely* reject mail at SMTP time is if the SPF
result == Fail (-all), all other states e.g. softfail, neutral and pass
are only useful for more expensive content checking such as SpamAssassin...
SPF Pass - can be useful when used with 'other' tests, although I've
seen a lot of spam domains set-up SPF records with a '+all' (return Pass
if the SPF record doesn't match) that try and take advantage of this.
Because I think '+all' is both useless and evil, I downgrade this to
'Neutral' on my systems...
> Be warned though, if you have remote users, they will have to use a
> server within your spf realm for sending mail.
Yes - especially true if you set -all or ~all in your SPF record, if you
use ?all then it really doesn't matter.
> I would recommend turning off the catchall too.
Yes - catch-alls are evil.
On my spam trap I set a SPF record of 'v=spf1 mx -all' and reject any
SPF fail at SMTP time, currently I don't get brilliant results with
this, but I do get some:
Out of 49,630 senders - 1,331 were rejected due to SPF fail, most of
these I suspect were due to spammers trying to send in junk by forging
my own domain. These numbers might be higher if I reduced some of the
other pre-DATA rejections on this box.
More information about the MailScanner