On Wed, 2015-12-09 at 09:44 -0500, Alex wrote: > My main problem is understanding how to build a rule to block > spoofing attempts against my own domain? Do I need to build a meta > that combines envelope FROM with SPF_FAIL? > Don't forget that SPF fails and errors will always be related to the *senders* SPF record.
If you use either SPF checker against your own SPF record all you're doing is making sure that your SPF record is validly constructed and correctly describes your domain, its MX records and IP range so that third parties can avoid hitting you with backscatter when your address has been forged as the sender of undeliverable spam. To do what you're currently trying to do: 1) use 'dig' to manually inspect the sender's SPF record using either the envelope sender domain or the sender domain from the earliest Received: header on the delivery chain. As Reindl says, ignore the From: header - if the message is spam its probably forged. or 2) use either of those SPF tools to inspect the sending domain's SPF record where 'sender domain' is as described in (1). The tools will say whether the SPF record is junk or not and, if valid, comparing it with the output from 'host' or 'dig example.com ANY' will tell you if its content correctly describes the sender. Martin
