On Nov 28, 2007, at 12:08 PM, Udo Rader wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Rick Romero wrote:
On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
Your spf record is broken:
dovecot.org. 39942 IN TXT "v=spf1 a -all"
Care to tell also why? dovecot.org's mails are sent from the
same IP as its A record.Hmmm. I would have listed mx as well but thats just me. But just listing a is likely better in that there are less lookups for the receiving system.
One thing that bugs me is why we must now implement domainkeys
on top of SPF. SPF pretty much does everything domainkeys does but
simpler.Because SPF is a broken hack that doesn't properly accomodate the forwarding of email without the use of other complicating hacks such as SRS which mangle the sender address.
SPF should have been scrapped years ago. Instead, most large organizations use "?all" in their SPF entry (typically because of
the forwarding problem), putting SPF in advisory mode which negates the whole purpose of having it anyway.I disagree. The only way you should be using SPF on the receiving end is as an additional weight for spam scoring.
Some time ago there was a similar discussion on the postfix ML and
I had pretty much the same arguments that you had.But as a matter of fact, I got corrected. The major problem with even scoring is that the only things spammers have to do (and they
really do it!) is to register some new domain, enter valid SPF records for it
and then their scoring might even improve.
I only give negative points for non-matching records. No positive
points. (Unless I misconfigured something, that's how I believe -
and want - it to work).
The idea being that even if the record doesn't match, if it's a valid
email you won't have enough other negatively scoring components to
completely drop it.
If there is a negative match on spam then we're also compensating for
changes in the structure of the email that might get it past bayesian
filters.
If there is no record, or a positive match, then IMHO we're really
neither better nor worse off.
The 'spammers create domains' argument almost negates the sender
verification system entirely - assuming you're giving positive points
for any valid records.
Rick
Udo Rader http://www.bestsolution.at
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iD8DBQFHTa6BuhFd84GLxP8RAh2uAJ43FN6z1DZkEP6Uun0CxnuA+iSukQCfcqiY bSBpLiK6MmDvahOLmYt0lTc= =zmqd -----END PGP SIGNATURE-----