[Dovecot] spf record
Rick Romero
rick at havokmon.com
Wed Nov 28 20:21:21 EET 2007
On Nov 28, 2007, at 12:08 PM, Udo Rader wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rick Romero wrote:
>>
>> On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
>>
>>> On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
>>>>>> Your spf record is broken:
>>>>>>
>>>>>> dovecot.org. 39942 IN TXT "v=spf1 a -all"
>>>>>
>>>>> Care to tell also why? dovecot.org's mails are sent from the
>>>>> same IP as
>>>>> its A record.
>>>>
>>>> Hmmm. I would have listed mx as well but thats just me. But just
>>>> listing a is likely better in that there are less lookups for the
>>>> receiving system.
>>>>
>>>> One thing that bugs me is why we must now implement domainkeys
>>>> on top
>>>> of SPF. SPF pretty much does everything domainkeys does but
>>>> simpler.
>>>
>>> Because SPF is a broken hack that doesn't properly accomodate the
>>> forwarding of email without the use of other complicating hacks
>>> such as SRS which mangle the sender address.
>>>
>>> SPF should have been scrapped years ago. Instead, most large
>>> organizations use "?all" in their SPF entry (typically because of
>>> the
>>> forwarding problem), putting SPF in advisory mode which negates the
>>> whole purpose of having it anyway.
>>
>> I disagree.
>> The only way you should be using SPF on the receiving end is as an
>> additional weight for spam scoring.
>
> Some time ago there was a similar discussion on the postfix ML and
> I had
> pretty much the same arguments that you had.
>
> But as a matter of fact, I got corrected. The major problem with even
> scoring is that the only things spammers have to do (and they
> really do
> it!) is to register some new domain, enter valid SPF records for it
> and
> then their scoring might even improve.
I only give negative points for non-matching records. No positive
points. (Unless I misconfigured something, that's how I believe -
and want - it to work).
The idea being that even if the record doesn't match, if it's a valid
email you won't have enough other negatively scoring components to
completely drop it.
If there is a negative match on spam then we're also compensating for
changes in the structure of the email that might get it past bayesian
filters.
If there is no record, or a positive match, then IMHO we're really
neither better nor worse off.
The 'spammers create domains' argument almost negates the sender
verification system entirely - assuming you're giving positive points
for any valid records.
Rick
> - --
> Udo Rader
> http://www.bestsolution.at
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
>
> iD8DBQFHTa6BuhFd84GLxP8RAh2uAJ43FN6z1DZkEP6Uun0CxnuA+iSukQCfcqiY
> bSBpLiK6MmDvahOLmYt0lTc=
> =zmqd
> -----END PGP SIGNATURE-----
More information about the dovecot
mailing list