Georg Lutz writes:
Hi,I observed some strange behaviour with our courier server when it comes to SPF checks. I think this particular SPF check should not fail, but perhaps I am wrong, please enlighten me: Courier is configured to do SPF check in this way: BOFHSPFMAILFROM=pass,none,unknown,softfail,neutral To me that means that courier checks during the "MAIL FROM" command the sender domain and it should fail only if the "-all" statement is used in the SPF record. Now I see in the maillog problem with mails coming from osb.org . Mails are temporarly rejected with a "417 DNS MX lookup failed" error. The SPF record for osb.org is --- "v=spf1 mx mx:smtpcluster.computing.csbsju.edu ip4:152.65.184.22 ip4:152.65.184.23 ip4:152.65.184.40 ip4:152.65.184.46 ip4:152.65.184.52 ip4:152.65.184.137 ~all" ---
This came up on the list before. This SPF record is broken, and violates the SPF specification draft.smtpcluster.computing.csbsju.edu does not have an MX record, and the SPF draft explicitly states that "mx" entries _MUST_ have MX records, and SPF **WILL NOT** fall back to looking up an A record, if the MX record is absent.
pgpjny5UIFZpf.pgp
Description: PGP signature
