[Dovecot] spf record

[Scott Silva]

on 11/28/2007 10:08 AM Udo Rader spake the following:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Rick Romero wrote:
>> On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
>>
>>> On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
>>>>>> Your spf record is broken:
>>>>>>
>>>>>> dovecot.org.            39942   IN      TXT     "v=spf1 a -all"
>>>>> Care to tell also why? dovecot.org's mails are sent from the same IP as
>>>>> its A record.
>>>> Hmmm.  I would have listed mx as well but thats just me.  But just
>>>> listing a is likely better in that there are less lookups for the
>>>> receiving system.
>>>>
>>>> One thing that bugs me is why we must now implement domainkeys on top
>>>> of SPF.  SPF pretty much does everything domainkeys does but simpler.
>>> Because SPF is a broken hack that doesn't properly accomodate the
>>> forwarding of email without the use of other complicating hacks
>>> such as SRS which mangle the sender address.
>>>
>>> SPF should have been scrapped years ago.  Instead, most large
>>> organizations use "?all" in their SPF entry (typically because of the
>>> forwarding problem), putting SPF in advisory mode which negates the
>>> whole purpose of having it anyway.
>> I disagree.
>> The only way you should be using SPF on the receiving end is as an
>> additional weight for spam scoring.
> 
> Some time ago there was a similar discussion on the postfix ML and I had
> pretty much the same arguments that you had.
> 
> But as a matter of fact, I got corrected. The major problem with even
> scoring is that the only things spammers have to do (and they really do
> it!) is to register some new domain, enter valid SPF records for it and
> then their scoring might even improve.
That is why you don't score on pass, but incremental score on fails. That way 
a fail will bump the score a bit, but a pass won't negate the other hits.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!