From: Alex Satrapa (alex.satrapaapf.edu.au)
Date: Fri Oct 05 2007 - 00:58:12 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 05/10/2007, at 15:34 , RW wrote:

> On Fri, 05 Oct 2007 04:38:23 +0200, mouss wrote:
> I don't think SPF is credible enough for anybody with a brain to block
> mail from senders without SPF. So why bother with it at all?

mouss has a point.

I used to think that SPF was a good idea. Then I encountered a simple
scenario in which SPF broke everything:

My user A has all his mail forwarded to account B. Some external part
C sends mail to account A. All fine and dandy, right?

[original sender] C -> A -> B [final destination]

Except when the mail server for B rejects based on SPF, and the
domain for C has SPF records defined. Server B thus rejects all of
C's mail to A because the mail server A isn't authorised to send mail
for C (according to SPF records).

This is a simple case where the remedy (getting B's mail server to
use SPF as a HINT, not a RULE) is outside my control.

At the time I thought, "well, nothing I can do about it." So I
ignored it.

Then another user did this:

  C -> B -> A

That is, they had an account on some other machine, which they had
set up to forward all mail to my machine. Suddenly, all of C's mail
to B was arriving on my machine and triggering every spam rule, since
the extra weight of a SPF rule mismatch pushed all those word
documents out of the very tight margins I'd allowed.

So I stopped publishing SPF rules for my own server, and removed SPF
weighting from my spam rules.

FWIW, I'm happy with rejecting unnamed hosts, and greylisting for 10
minutes. I'll look at DKIM when I have the chance (or the
motivation). But SPF seemed to me to be a nice idea that turned out
to be a flop.

Alex

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]