[Dovecot] spf record
Dean Brooks
dean at iglou.com
Wed Nov 28 19:26:48 EET 2007
On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
> > > Your spf record is broken:
> > >
> > > dovecot.org. 39942 IN TXT "v=spf1 a -all"
> >
> > Care to tell also why? dovecot.org's mails are sent from the same IP as
> > its A record.
>
> Hmmm. I would have listed mx as well but thats just me. But just
> listing a is likely better in that there are less lookups for the
> receiving system.
>
> One thing that bugs me is why we must now implement domainkeys on top
> of SPF. SPF pretty much does everything domainkeys does but simpler.
Because SPF is a broken hack that doesn't properly accomodate the
forwarding of email without the use of other complicating hacks
such as SRS which mangle the sender address.
SPF should have been scrapped years ago. Instead, most large
organizations use "?all" in their SPF entry (typically because of the
forwarding problem), putting SPF in advisory mode which negates the
whole purpose of having it anyway.
DomainKeys at least provides a solution for the original problem; the
ability to determine whether an email came from a mail server that
was authorized to send from that domain, -and- the ability to embed
that signature into the message itself rather than relying on only the
source IP address to give that information.
Everyone has different opinions on the usefulness of SPF, but the
reality of it is, DomainKeys solves the entire problem. SPF doesn't.
--
Dean Brooks
dean at iglou.com
More information about the dovecot
mailing list