[Dovecot] spf record

Rick Romero rick at havokmon.com
Wed Nov 28 19:45:29 EET 2007


On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:

> On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
>>>> Your spf record is broken:
>>>>
>>>> dovecot.org.            39942   IN      TXT     "v=spf1 a -all"
>>>
>>> Care to tell also why? dovecot.org's mails are sent from the same  
>>> IP as
>>> its A record.
>>
>> Hmmm.  I would have listed mx as well but thats just me.  But just
>> listing a is likely better in that there are less lookups for the
>> receiving system.
>>
>> One thing that bugs me is why we must now implement domainkeys on top
>> of SPF.  SPF pretty much does everything domainkeys does but simpler.
>
> Because SPF is a broken hack that doesn't properly accomodate the
> forwarding of email without the use of other complicating hacks
> such as SRS which mangle the sender address.
>
> SPF should have been scrapped years ago.  Instead, most large
> organizations use "?all" in their SPF entry (typically because of the
> forwarding problem), putting SPF in advisory mode which negates the
> whole purpose of having it anyway.

I disagree.
The only way you should be using SPF on the receiving end is as an  
additional weight for spam scoring.

That covers forwarding, ddns home users, and misc other issues.  Not  
only can you not be assured that an email is sent from a particular  
host, but you can't be assured everyone's upstream DNS has cached  
your record properly.  IMHO, to assume a DNS record is going to be  
kept up to date and correct 100% of the time is just silly.    By  
requiring an exact match to prevent a rejection, those who do this  
are risking many outright rejections which negatively affect their  
perceived service levels.

Rick



More information about the dovecot mailing list