[Dovecot] spf record
Marc Perkel
marc at perkel.com
Wed Nov 28 20:14:31 EET 2007
Dean Brooks wrote:
> On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
>
>>>> Your spf record is broken:
>>>>
>>>> dovecot.org. 39942 IN TXT "v=spf1 a -all"
>>>>
>>> Care to tell also why? dovecot.org's mails are sent from the same IP as
>>> its A record.
>>>
>> Hmmm. I would have listed mx as well but thats just me. But just
>> listing a is likely better in that there are less lookups for the
>> receiving system.
>>
>> One thing that bugs me is why we must now implement domainkeys on top
>> of SPF. SPF pretty much does everything domainkeys does but simpler.
>>
>
> Because SPF is a broken hack that doesn't properly accomodate the
> forwarding of email without the use of other complicating hacks
> such as SRS which mangle the sender address.
>
> SPF should have been scrapped years ago. Instead, most large
> organizations use "?all" in their SPF entry (typically because of the
> forwarding problem), putting SPF in advisory mode which negates the
> whole purpose of having it anyway.
>
> DomainKeys at least provides a solution for the original problem; the
> ability to determine whether an email came from a mail server that
> was authorized to send from that domain, -and- the ability to embed
> that signature into the message itself rather than relying on only the
> source IP address to give that information.
>
> Everyone has different opinions on the usefulness of SPF, but the
> reality of it is, DomainKeys solves the entire problem. SPF doesn't.
>
>
>
I second that. I've wasted a lot of time with SPF and it's useless.
More information about the dovecot
mailing list