> I'm considering enforcing SPF / DMARC standards on my mail server, knowing > that this will block not only most spam, but also > some valid emails to my customers. > > Has anyone here done the same thing? If so, what are your thoughts. Did it > create a ton of follow-up work for you with clients > screaming that they're not getting emails, or was there a parade held in your > honor? > > Would spam disappear overnight if everyone did the same thing?
I've enabled SPF filtering on our incoming mail, but it did catch a lot of "false positives" - enough that I ended up turning it back off again, essentially. The "false positives" weren't really false positives in the strictest sense, as they were messages that didn't in fact match their point-of-origin SPF records. But there are a lot of common causes for this in the enterprise: - internal mail servers used by application servers - email-as-a-service senders like SalesForce - internal mail servers used by pockets of internal users that don't use the regular corporate email system - you'd be surprised how often this comes up in large enterprises, or at least I was surprised. Spam would disappear overnight if everyone had correct SPF records, and everyone also filtered by SPF. But then it would reappear the next day. There's nothing stopping spam from coming from a valid SPF source, and botnets, for example, could easily send through compromised but otherwise legitimate hosts. (In fact, I was exaggerating above as not all spam relies on illegitimate senders even now.) > I know I also have a little work to do to make sure all my SPF records are > correct, knowing that many customers cannot connect > to my SMTP through their ISP (ie; some Comcast customers), and thus their > outgoing emails would fail the SPF test. I sense a > customer poll coming on... You could specify a soft fail for unauthorized hosts, rather than a hard fail. But if you're providing a service to customers to allow them to send mail, it's probably a bad idea to identify some of that mail as illegitimate, regardless of what your customer poll might tell you. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355336 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
