I've been looking over this trying to figure out how to best implement it for my domains. It seems that since they are all on one class C, I should do the following:
v=spf1 +a/24 +mx/24 -all
Now three very important questions...
1) If I implement this, will intra-server E-mail fail this test? i.e. local mail customer at client IP 123.123.123.123 E-mail's me, where 123.123.123.123 is not a local address, but the address of the border router at the client's location.
Yes. Think of it this way -- is there any way to know that 123.123.123.123 belongs to your client and not a spammer?
OTOH, you could use "WHITELIST AUTH" to whitelist their E-mail.
2) When my clients who are SMTP blocked by their ISP (port 25), and forced to use their ISP's mail server, am I correct in assuming that this will fail?
Correct. In this case, it sounds like you would instead want to use:
v=spf1 +a/24 +mx/24 ?all
That way, you are saying that legitimate E-mail might come from IPs other than the ones that you list. This way, neither #1 nor #2 will fail.
If I changed the test to +all in order to prevent these issues (if real), then it seems that it would only be useful as a negative weight test when my data is used.
"+all" is a very bad thing -- it says "Spammers, you are welcome to forge my domain from any IP." While "-all" wouldn't work for you (it says that nobody from IPs you do not list can send mail from your domain), "?all" would work (it says that anybody trying to send mail from your domain using an IP you do not list *may* be legitimate).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
