> If I have to allow in the SPF record that the message can come in > from many (all?) other IP's then the defensive function of SPF > becomes pretty useless, or not?
No, it's not completely useless. Even if you can't query _your own_ SPF record unless it's set to accept wildcard sending IPs--and you can't use WHITELIST AUTH for those IPs--you can still publish an internal DNS zone for your domain that doesn't contain an SPF record, while publishing a more restrictive policy in your public DNS record. This would enable _remote_ servers to apply your more restrictive policy and prevent forgery of your domain from zombie IPs, while your internal servers would use different logic. > A local user in my terms is anyone that connect to our server and > both Imail and Declude handle this as outgoing message. Hmm...that's pretty confusing, too. Does the nature of a sending user change depending on the recipient domain? Not really. It sounds like you mean "local" = "messages from authed or IPed users who _would_ be allowed to relay, even if they are not currently relaying the current message" (or as I referred to it in another thread, "VIP sessions"). > Remote users send (incomming) messages that are delivered to local > users. In both IMail and Declude terms, that nomenclature isn't actually used. An IMail "treated as local" user can definitely send mail for remote or local delivery, for example, and a Declude "local user" is based on sender domain. In order to deploy SPF, you definitely need to have a consistent idea of which sessions deserve elevated privileges in theory--and which of those sessions you can detect in practice. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.