Chris Angelico <ros...@gmail.com> wrote: > On Tue, Jul 23, 2013 at 12:08 AM, Michael Torrie <torr...@gmail.com> > wrote: >> On 07/22/2013 06:51 AM, Chris Angelico wrote: >>>> Thanks for the tip. I didn't know about SPF >>>> http://en.wikipedia.org/wiki/Sender_Policy_Framework >>> >>> It's a great way of detecting legit vs forged mail. If anyone tries >>> to send mail purporting to be from anyth...@kepl.com.au and the >>> receiving mail server is checking SPF records, it'll be rejected >>> after one cheap DNS lookup. It's a simple and cacheable way to ask >>> the owning server, "Is this guy allowed to send mail for you?". (The >>> 192.168 block in my SPF record above is permitted to allow some >>> intranet conveniences; omit it unless you need it.) >> >> Yes setting SPF records will help your mail be accepted by other >> servers, but I disagree with your appeal to make mail server SPF >> handling as strict as your server does. SPF has problems in a number >> of situations which could cause legitimate mail to be rejected. In >> my last job I could only use SPF as one spam factor, not as a basis >> for rejection. > > If legit mail is rejected for failing an SPF check, it's the sending > admin's problem, not yours. You should never have problems with it if > it's set up correctly. And since rejected mail gets reported to the > transmitting MTA, you don't need to drop it in a spambox or anything. > It's not spam, it's simply invalid mail (equivalent to something sent > to a dud address). > If you want your emails to have the best chance of arriving your SPF should list servers you use but not deny that there might be others.
I have a very common situation where an overly strict SPF may cause problems: Like many people I have multiple email addresses which all end up in the same inbox. The one I most commonly give out to businesses bounces the email unchanged to the gmail inbox that I use. That means all emails I receive through that email address appear to Google to have originated from the forwarding servers. An SPF record from the original sender that claims to have a complete list of originating servers will therefore fail validation. It isn't Google's fault: they can't ignore the forwarding step otherwise spammers could bypass SPF simply by claiming to be forwarding the emails. It is simply a limitation of the SPF protocol. Fortunately they only use SPF as one indicator so real messages still get through. -- Duncan Booth -- http://mail.python.org/mailman/listinfo/python-list