[Dovecot] spf record
Rick Romero
rick at havokmon.com
Wed Nov 28 19:45:29 EET 2007
On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
> On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
>>>> Your spf record is broken:
>>>>
>>>> dovecot.org. 39942 IN TXT "v=spf1 a -all"
>>>
>>> Care to tell also why? dovecot.org's mails are sent from the same
>>> IP as
>>> its A record.
>>
>> Hmmm. I would have listed mx as well but thats just me. But just
>> listing a is likely better in that there are less lookups for the
>> receiving system.
>>
>> One thing that bugs me is why we must now implement domainkeys on top
>> of SPF. SPF pretty much does everything domainkeys does but simpler.
>
> Because SPF is a broken hack that doesn't properly accomodate the
> forwarding of email without the use of other complicating hacks
> such as SRS which mangle the sender address.
>
> SPF should have been scrapped years ago. Instead, most large
> organizations use "?all" in their SPF entry (typically because of the
> forwarding problem), putting SPF in advisory mode which negates the
> whole purpose of having it anyway.
I disagree.
The only way you should be using SPF on the receiving end is as an
additional weight for spam scoring.
That covers forwarding, ddns home users, and misc other issues. Not
only can you not be assured that an email is sent from a particular
host, but you can't be assured everyone's upstream DNS has cached
your record properly. IMHO, to assume a DNS record is going to be
kept up to date and correct 100% of the time is just silly. By
requiring an exact match to prevent a rejection, those who do this
are risking many outright rejections which negatively affect their
perceived service levels.
Rick
More information about the dovecot
mailing list