[Dovecot] spf record
rick at havokmon.com
Wed Nov 28 20:21:21 EET 2007
On Nov 28, 2007, at 12:08 PM, Udo Rader wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Rick Romero wrote:
>> On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
>>> On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
>>>>>> Your spf record is broken:
>>>>>> dovecot.org. 39942 IN TXT "v=spf1 a -all"
>>>>> Care to tell also why? dovecot.org's mails are sent from the
>>>>> same IP as
>>>>> its A record.
>>>> Hmmm. I would have listed mx as well but thats just me. But just
>>>> listing a is likely better in that there are less lookups for the
>>>> receiving system.
>>>> One thing that bugs me is why we must now implement domainkeys
>>>> on top
>>>> of SPF. SPF pretty much does everything domainkeys does but
>>> Because SPF is a broken hack that doesn't properly accomodate the
>>> forwarding of email without the use of other complicating hacks
>>> such as SRS which mangle the sender address.
>>> SPF should have been scrapped years ago. Instead, most large
>>> organizations use "?all" in their SPF entry (typically because of
>>> forwarding problem), putting SPF in advisory mode which negates the
>>> whole purpose of having it anyway.
>> I disagree.
>> The only way you should be using SPF on the receiving end is as an
>> additional weight for spam scoring.
> Some time ago there was a similar discussion on the postfix ML and
> I had
> pretty much the same arguments that you had.
> But as a matter of fact, I got corrected. The major problem with even
> scoring is that the only things spammers have to do (and they
> really do
> it!) is to register some new domain, enter valid SPF records for it
> then their scoring might even improve.
I only give negative points for non-matching records. No positive
points. (Unless I misconfigured something, that's how I believe -
and want - it to work).
The idea being that even if the record doesn't match, if it's a valid
email you won't have enough other negatively scoring components to
completely drop it.
If there is a negative match on spam then we're also compensating for
changes in the structure of the email that might get it past bayesian
If there is no record, or a positive match, then IMHO we're really
neither better nor worse off.
The 'spammers create domains' argument almost negates the sender
verification system entirely - assuming you're giving positive points
for any valid records.
> - --
> Udo Rader
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
More information about the dovecot