jdow wrote: > Even more to the point SPF is NOT a reason to accept or reject mail. > All it does is verify the domain from which it originated. That is a > tool for SCORING spam not for outright elimination of messages that > have bad SPF records and accepting those that have good SPF records. > It is perfectly legitimate for a spammer to build his own SPF record > and get approved by such mal-configured tools. All the SPF record > does is give you confidence of the veracity of one hop in the chain.
I agree that a 'pass' result from an SPF test does nothing to show that a message isn't spam (so I go on the use SpamAssassin on it), but it seems to me that a 'fail' result is a perfectly good reason to reject a message outright, which is what I do (without it even being passed to SpamAssassin). After all, a 'fail' result means that the owner of the domain from which the message purports to come has gone to some trouble to set up an SPF record saying "mail from my domain will only ever arrive at your mail server directly from the following list of servers..., please feel free to reject any which pretends to be from my domain but which comes from _other_ servers". It's more than "one hop in the chain" - it's the _last_ hop, from _somewhere_ to my mail server, the one that I can be certain of without looking at headers, because I can _see_ what IP address is talking to my server. Sure: the spammers can get proper domains and set up SPF records resulting in 'pass', but then we just reject their junk with SpamAssassin in the usual way. But most spammers just continue to invent email addresses of innocent people in their "MAIL FROM" commands, and provided that 'innocent domain' has published SPF, then I'm pleased to see my mail server rejecting lots of such junk as soon as the "MAIL FROM" is given - they never even get to transmit the body of the message. -- Clarke Brunt