SPF_Fail score too low?

Matt Kettler mkettler at evi-inc.com
Thu Apr 5 21:52:33 IST 2007


Chris Yuzik wrote:
> Hi everyone,
> 
> I was just going over some stats, and I see a rule called "SPF_FAIL"
> with the description, "SPF: sender does not match SPF record (fail)",
> which seems like a fairly major violation, yet the score assigned
> currently is only 1.14.
> 
> So if I'm clear what this means, I believe this says that the domain
> administrator has specified the specific IPs that are allowed to send
> email from this domain, and furthermore anything that doesn't come from
> the allowed IPs should not be accepted or trusted. Right? This isn't a
> soft-fail, but a full fail.
> 
> Seems to me this should be something that should be scored at 5.0 or
> higher. Or am I wrong?
> 
> Chris


Sorry for the late reply.

Real-world testing shows that the SPF_FAIL test is still quite prone to false
positives, and is more false-positive prone than the SOFTFAIL rule.

In the SpamAssassin 3.1.x mass-checks, SPF_FAIL had 95.5% of its matches being
spam, and 4.5% being nonspam. Softfail on the other hand was 99.2% spam and 0.8%
nonspam.

Personally, I interpret this as:

The foolhardy and ambitious admin will recklessly dive right in and create a
record which hard-fails. The more diligent admin will audit very carefully, but
realize he might have made mistakes and set a soft-fail record.

This results in SPF_FAIL presenting more FPs than SOFTFAIL.

Never expect rules to behave the way they "should" when they're the result of
human decisions. Humans add a whole layer of randomness and nonsense all their own.






More information about the MailScanner mailing list