[Dovecot] spf record

Dean Brooks dean at iglou.com
Wed Nov 28 19:26:48 EET 2007


On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
> > > Your spf record is broken:
> > >
> > > dovecot.org.            39942   IN      TXT     "v=spf1 a -all"
> >
> > Care to tell also why? dovecot.org's mails are sent from the same IP as
> > its A record.
> 
> Hmmm.  I would have listed mx as well but thats just me.  But just
> listing a is likely better in that there are less lookups for the
> receiving system.
> 
> One thing that bugs me is why we must now implement domainkeys on top
> of SPF.  SPF pretty much does everything domainkeys does but simpler.

Because SPF is a broken hack that doesn't properly accomodate the
forwarding of email without the use of other complicating hacks 
such as SRS which mangle the sender address.

SPF should have been scrapped years ago.  Instead, most large
organizations use "?all" in their SPF entry (typically because of the
forwarding problem), putting SPF in advisory mode which negates the
whole purpose of having it anyway.

DomainKeys at least provides a solution for the original problem; the
ability to determine whether an email came from a mail server that
was authorized to send from that domain, -and- the ability to embed
that signature into the message itself rather than relying on only the
source IP address to give that information.

Everyone has different opinions on the usefulness of SPF, but the
reality of it is, DomainKeys solves the entire problem.  SPF doesn't.

--
Dean Brooks
dean at iglou.com


More information about the dovecot mailing list