SPF_Fail score too low?

Matt Kettler mkettler at evi-inc.com
Thu Apr 5 23:06:58 IST 2007

Res wrote:
> On Thu, 5 Apr 2007, Matt Kettler wrote:
>> Personally, I interpret this as:
>> The foolhardy and ambitious admin will recklessly dive right in and
>> create a
>> record which hard-fails.
> Or maybe they are the intelligent admins who are completely sick of the
> countless lamers getting away with impersonating everybody, but I do
> agree you must know what you are doing before enabling hardfail, but if
> you dont know what you are doing with SPF, you shouldn't be useing it
> anyway.

IMHO 90% of email system admins don't know what they're doing. 90% of admins
using SPF, also don't know what they're doing. Unfortunately, less than 1% of
admins realize it, which is why we have this problem.

> Personally I hardfail *and* I recommend it.
> However, I recommend using a milter to do SPF checks, and not S.A

True, I'm not saying all admins who use hardfail are foolhardy.

I'm merely saying the foolhardy admins are likely to jump in and go straight to
hardfail without testing. They won't start off with softfail. They're also the
ones most likely to have errors or omissions in their config, and also the least
likely to detect the problems caused.

This phenomenon makes hard-fail less trustworthy than softfail, which isn't how
it should be, but is how it ends up. Score one for the clueless.

I myself would recomend using hardfail, but I'd test things out starting at
neutral and work your way up after you've proven out that it really works.

More information about the MailScanner mailing list