On 11/19/2010 5:03 PM, Michael Scheidell wrote: > with SPF, it could be the senders dns servers, or if they use includes, > the dns servers for that side, so, its dangerous to add +50 points, say, > and then use spf/dkim or auth to whitelist.
You do have a valid point, but I'm not too worried about it myself, since I use this method only for big domains which are unlikely (IMO) to frequently have the type of DNS failures you speak of. Hmm, I wonder if you could protect against DNS failures with something like: meta __LOCAL_GOT_SPF (SPF_PASS||SPF_NEUTRAL||SPF_FAIL||SPF_SOFTFAIL||SPF_HELO_PASS||SPF_HELO_NEUTRAL||SPF_HELO_FAIL||SPF_HELO_SOFTFAIL) header __LOCAL_FROM_FBM1 from =~ /\...@facebookmail\.com/i meta LOCAL_FROM_FBM ( __LOCAL_FROM_FBM1 && __LOCAL_GOT_SPF ) score LOCAL_FROM_FBM 50.0 whitelist_from_spf *...@facebookmail.com My idea is that, in the case of DNS failures or timeouts while looking up SPF, __LOCAL_GOT_SPF would be false (I think), thus preventing the 50.0 penalty. And in the normal case where DNS is okay, the penalty and whitelisting would function as before. Would that work, or is it crazy? > clients complain of course, if you miss one spam, and complain, of > course if you block one legit email. Yes, that's what makes our jobs so interesting. :)