Jason Bertoch wrote: >>>Which case is there a record, but the sending server IP >>>doesn't match? > > >>That depends what the sender's SPF record is set for in >>the "all" clause. > > >>If it's ?all you get SPF_NEUTRAL >>If it's ~all you get SPF_SOFTFAIL >>if it's -all you get SPF_FAIL. > > > > That makes sense but now the scores for these rules have me a little confused. > If a domain administrator indicates that we should fail any message not > sourced > from his IP's, why is the score for SPF_FAIL the smallest of the three?
I don't know about your SA, but on 3.1.0's set 3 it's the middle of the three. You're trying to apply simple logic to a non-simple system. Never expect the simple when it comes to SA rule scores, the system is many orders of magnitude more complex than you think, because it's based on REAL patterns of REAL email sent by human people. Let's look at some real-world data: OVERALL% SPAM% HAM% S/O RANK SCORE NAME 3.437 4.8942 0.0396 0.992 0.80 1.38 SPF_SOFTFAIL 2.550 3.5717 0.1676 0.955 0.53 1.14 SPF_FAIL 2.297 3.2090 0.1695 0.950 0.52 1.07 SPF_NEUTRAL Note that SPF_FAIL matched had a higher HAM% than SOFTFAIL did.. Just because it in theory should be a better test does not mean it will be. You've got humans involved here, and human behavior is a lot strange. My guess is that a careless admin who did not think the implications through would be prone to immediately go to SPF_FAIL. This careless admin is also more likely to have omissions from his SPF record. SOFTFAIL is more likely to be used by conservative admins who think out their needs more carefully. These sites are much less likely to have omissions in their records. But that's just a theory. I'm no psychologist, I just read the numbers.
