Marc Perkel wrote: > I'm still waiting for anyone to describe any used for SPF > that doesn't create false positives on normal email forwarding > or allow spammers to whitelist themselves by using correct SPF > to send spams.
Marc, this is very, very simple, and all these points have been raised in this thread, but not all at once together. This is my attempt to bring the whole picture into four concise points. 1) SPF is all but useless at positively identifying Spam. We all know this. Corollary: Do not use SPF-Fail as a spam indicator. 2) SPF is also useless at detecting ham. An SPF-Pass means that a given email really is coming from the domain it claims to come from, but that is not an indication that it is "good" or wanted. Corollary: Do not use SPF-Pass as a ham indicator. 3) Let's say you bank with Bank of MyBank BankCorp. MyBank.com specifies an SPF record. You receive a message claiming to be from mybank.com, and it passes SPF. You can be reasonably certain it is legitimate. Corollary: Do use SPF in combination with a whitelist to make the whitelist more powerful. 4) You receive another message from mybank.com, and it fails SPF. This could be a spam/scam/phish email. It could also have been forwarded to you, either by your own forwarder, or by a friend who's forwarding you news about them. Corollary: Do not use SPF to blacklist messages. Messages failing SPF are merely not whitelisted, and thus subject to normal anti-spam efforts. A legitimate, forwarded mail is likely to pass the spam tests. A spam/scam/phishing email is not. THAT'S IT! That's all she wrote. End of discussion. It meets the requirements you specified, and here's the benefit it offers in the context of SpamAssassin (so as to keep at least a modicum of on-topic-ness): * whitelist_from: Dangerous, because anyone can forge From headers. * whitelist_from_rcvd: Better, but requires you to make configuration changes every time the sender adds or changes outgoing mail servers. * whitelist_from_spf: Ding! We have a winner. It's a whitelist_from_rcvd where the sender can automatically provide you with updates to their list of outgoing mail servers. What would be even better is to use SPF-Pass in combination with a whitelist at the MTA level, so that whitelisted "From" addresses passing SPF can skip SpamAssassin and other anti-spam checks entirely. This reduces load on the mail server, and minimizes the chance of false positives.