-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Daryl C. W. O'Shea writes: > Sidney Markowitz wrote: > > Justin Mason wrote: > > > >>According to the SPF people, we shouldn't > >>be using -all on a domain that may possible emit mail. So I changed > >>the record... > > > <snip> > > > > If you can list all sending domains, sending ip addresses, and ISP mail > > servers that are allowed to send mail from a spamassassin.org address, > > then you can use ~all and we can use from spamassassin.org in the SPF > > test for a failed HELO. If you can't list all of them in the record, we > > are forced to use ?all and we need a different domain to use for the test. > > It's more like: > > ?all if you don't think you've listed all the hosts that may send mail > > ~all if you *think* you've listed all the hosts that may send mail > > -all if you *know* you've listed all the hosts that may send mail > > The wizard doesn't give you the option -all since they don't want to > 'wizardize' you having your mail rejected. If you don't list all your > hosts and the record contains ~all, it'll generate a soft fail... which > means the receiving server should still accept the mail. > > If you forget to list all your hosts and your record contains -all, it > generates a hard fail... which means the receiving server should feel > free to reject, or drop the message. > > I've got many domains using -all (with all of their sending hosts > listed) and have had no problems. Yes, that's how it was *supposed* to work ;) However the SPF mavens nowadays are taking the forwarding problem into account, and recommending that -all not be used even if you've listed all the hosts that may send mail, since a recipient address may forward to another, SPF-checking, address without rewriting the env sender. - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCJYyYMJF5cimLx9ARAguZAJwI0gU2Vr45Xi6IyYEb1Lanf4damACfTlne tPF1LgtptTgIheiZ3NEe2Zg= =0WSW -----END PGP SIGNATURE-----
