Re: [Declude.JunkMail] SPF

[Matt]

This is why I am not implementing SPF on my system.  As a blacklist, it would punish some of my customers, so I would be forced to list them as unknown which is in effect as effective as not listing them as all.  I certainly wouldn't want to assume that since 95% of them would pass a strict test, I should list them as known and then allow another administrator to reject the other 5% at the SMTP envelop as has been suggested. As a method of crediting users, I see an increasing amount of zombie spam being sent from legit mail servers and I don't have issues with rejecting legitimate E-mail unless it comes from a known zombie or open relay, and then it still generally passes.  I see no reason to give credit for such cases, and under that form of thought, I would also not recommend that others credit my users simply because they passed SPF since they are certainly capable of spamming at any point in time (and some have asked to do so in the past).  There is also nothing stopping a static bulk mailer from implementing SPF on their own system, and to my knowledge, there is no way to stop that from happening.  It's niche bulk E-mail sent in low volume that has the greatest likelihood of getting past my filters. To each their own of course.  I'm just trying to document some of the issues that people should look out for when implementing SPF for their domains, and scoring it on their systems. Matt Sanford Whiteman wrote: I get a lot of E-mail that would fail SPF that is in fact valid. A lot of mail scripts and E-commerce sites are set up to send E-mail notifications with the Mail From generated from a user submission (since one can just simply press reply in order to respond). While that may imapct the willingness of the owners of some domains to publish SPF policies, that's irrelevant to the legitimacy of mail that does not conform to already published SPF policies. Also, some of my own customers are blocked by their ISP's from using my mail server for SMTP, which means that if I configured SPF strictly for their domains, they would fail this test wherever implemented. That's right: if you want to prevent people from forging your domain whenever and wherever they want, you have to prevent people from forging your domain whenever and wherever you want--Q.E.D. Your "own" users need to conform to your policies. You're confusing the _obligations_ of those who want to publish SPF records, and the related customer relationship management, for a problem in published SPF records. If you opt to use SPF on your system, take advantage of the weighting capabilities of Declude, and I would suggest at most being very cautious about how much weight you give it. Sorry, Matt, but that's a bit of FUD. If a domain owner publishes a strict sender policy for mail using their registered domain, if I do anything but follow that policy, I am defying the wishes of the legal owner of the domain. To accept and deliver mail as legitimate that is known to be illegitimate--the SPF policy, not my subjective notion of message content, dictates legitimacy--is putting your faith in the wrong place. I d**n sure hope that nobody is testing for SPF and delivering mail for the domains for which I have published policies, especially without contacting us--I'd have very strong words for them. Of course, it's incumbent upon the domain owner to make sure that their SPF policies, their AUP, and their customer relationships are in order. But I _must_ trust that they are, or I am behaving most illogically. We HOLD on SPF FAIL. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================