on 11/28/2007 10:08 AM Udo Rader spake the following:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Rick Romero wrote:
On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
Your spf record is broken:
dovecot.org. 39942 IN TXT "v=spf1 a -all" Care to tell also why? dovecot.org's mails are sent from the same IP as its A record. Hmmm. I would have listed mx as well but thats just me. But just listing a is likely better in that there are less lookups for the receiving system.
One thing that bugs me is why we must now implement domainkeys on top of SPF. SPF pretty much does everything domainkeys does but simpler. Because SPF is a broken hack that doesn't properly accomodate the forwarding of email without the use of other complicating hacks such as SRS which mangle the sender address.
SPF should have been scrapped years ago. Instead, most large organizations use "?all" in their SPF entry (typically because of the forwarding problem), putting SPF in advisory mode which negates the whole purpose of having it anyway. I disagree. The only way you should be using SPF on the receiving end is as an additional weight for spam scoring.
Some time ago there was a similar discussion on the postfix ML and I had pretty much the same arguments that you had.
But as a matter of fact, I got corrected. The major problem with even scoring is that the only things spammers have to do (and they really do it!) is to register some new domain, enter valid SPF records for it and then their scoring might even improve. That is why you don't score on pass, but incremental score on fails. That way a fail will bump the score a bit, but a pass won't negate the other hits.
-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!