[Dovecot] spf record

Marc Perkel marc at perkel.com
Wed Nov 28 20:14:31 EET 2007



Dean Brooks wrote:
> On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
>   
>>>> Your spf record is broken:
>>>>
>>>> dovecot.org.            39942   IN      TXT     "v=spf1 a -all"
>>>>         
>>> Care to tell also why? dovecot.org's mails are sent from the same IP as
>>> its A record.
>>>       
>> Hmmm.  I would have listed mx as well but thats just me.  But just
>> listing a is likely better in that there are less lookups for the
>> receiving system.
>>
>> One thing that bugs me is why we must now implement domainkeys on top
>> of SPF.  SPF pretty much does everything domainkeys does but simpler.
>>     
>
> Because SPF is a broken hack that doesn't properly accomodate the
> forwarding of email without the use of other complicating hacks 
> such as SRS which mangle the sender address.
>
> SPF should have been scrapped years ago.  Instead, most large
> organizations use "?all" in their SPF entry (typically because of the
> forwarding problem), putting SPF in advisory mode which negates the
> whole purpose of having it anyway.
>
> DomainKeys at least provides a solution for the original problem; the
> ability to determine whether an email came from a mail server that
> was authorized to send from that domain, -and- the ability to embed
> that signature into the message itself rather than relying on only the
> source IP address to give that information.
>
> Everyone has different opinions on the usefulness of SPF, but the
> reality of it is, DomainKeys solves the entire problem.  SPF doesn't.
>
>
>   

I second that. I've wasted a lot of time with SPF and it's useless.



More information about the dovecot mailing list