[Dovecot] spf record

Rick Romero rick at havokmon.com
Wed Nov 28 20:21:21 EET 2007 

On Nov 28, 2007, at 12:08 PM, Udo Rader wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rick Romero wrote:
>>
>> On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
>>
>>> On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
>>>>>> Your spf record is broken:
>>>>>>
>>>>>> dovecot.org.            39942   IN      TXT     "v=spf1 a -all"
>>>>>
>>>>> Care to tell also why? dovecot.org's mails are sent from the  
>>>>> same IP as
>>>>> its A record.
>>>>
>>>> Hmmm.  I would have listed mx as well but thats just me.  But just
>>>> listing a is likely better in that there are less lookups for the
>>>> receiving system.
>>>>
>>>> One thing that bugs me is why we must now implement domainkeys  
>>>> on top
>>>> of SPF.  SPF pretty much does everything domainkeys does but  
>>>> simpler.
>>>
>>> Because SPF is a broken hack that doesn't properly accomodate the
>>> forwarding of email without the use of other complicating hacks
>>> such as SRS which mangle the sender address.
>>>
>>> SPF should have been scrapped years ago.  Instead, most large
>>> organizations use "?all" in their SPF entry (typically because of  
>>> the
>>> forwarding problem), putting SPF in advisory mode which negates the
>>> whole purpose of having it anyway.
>>
>> I disagree.
>> The only way you should be using SPF on the receiving end is as an
>> additional weight for spam scoring.
>
> Some time ago there was a similar discussion on the postfix ML and  
> I had
> pretty much the same arguments that you had.
>
> But as a matter of fact, I got corrected. The major problem with even
> scoring is that the only things spammers have to do (and they  
> really do
> it!) is to register some new domain, enter valid SPF records for it  
> and
> then their scoring might even improve.

I only give negative points for non-matching records.  No positive  
points.  (Unless I misconfigured something, that's how I believe -  
and want - it to work).
The idea being that even if the record doesn't match, if it's a valid  
email you won't have enough other negatively scoring components to  
completely drop it.

If there is a negative match on spam then we're also compensating for  
changes in the structure of the email that might get it past bayesian  
filters.

If there is no record, or a positive match, then IMHO we're really  
neither better nor worse off.

The 'spammers create domains' argument almost negates the sender  
verification system entirely - assuming you're giving positive points  
for any valid records.

Rick

> - --
> Udo Rader
> http://www.bestsolution.at
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
>
> iD8DBQFHTa6BuhFd84GLxP8RAh2uAJ43FN6z1DZkEP6Uun0CxnuA+iSukQCfcqiY
> bSBpLiK6MmDvahOLmYt0lTc=
> =zmqd
> -----END PGP SIGNATURE-----

More information about the dovecot mailing list