On 1/28/2012 12:54 AM, Frank Bonnet wrote: > Hello > > I need some clarifications on the verify_sender statement : > > What I would like to do : > > When our MX receive an email from [email protected] I would like > Postfix perform a DNS lookup to verify that the IP address of > the sender is really part of the domain "domain.tld" and if not > reject the email from [email protected] saying : > "Your email has been rejected because > your IP address is not in the domain "domain.tld" "
This would result in a high rate of false positives while having at best a modest impact on spam -- most of the mail it would correctly reject could also be safely rejected by a good dnsbl or other rules. The reason SPF was invented is because there are too many hosted email systems where the sender domain has no apparent connection to the PTR of the legit originating server. Indeed, there is no requirement nor "best practice" that the PTR of a mail server match the domain being sent. Likewise, there is no requirement that a sending server also be an MX receiver. SPF, with all its warts, is the only reliable way to determine if a host is authorized to send mail on behalf of some domain. Even with SPF, it's generally unwise to reject all mail that fails; rather use the failure in a scoring system such as SpamAssassin as an indicator contributing to the final determination. -- Noel Jones
