> > Now one of our customers send a legit message trough our mailserver. > > Your use of "legit" is confusing. Rephrased, an SPF TXT > record _is_ a legitimate use policy. For the purposes of an > SPF check, there is no greater arbiter of legitimacy than that record.
I specified "legit" in this case to simply indicate that the message is not spam. The current implementation of SPF will identify this message as FAIL because it's coming from another IP then allowed in the SPF record. If I have to allow in the SPF record that the message can come in from many (all?) other IP's then the defensive function of SPF becomes pretty useless, or not? > > Wouldn't this create a wrong result for SPFFAIL? > > There are no "wrong" results with SPF (provided the SPF > parser is written correctly). If you're saying that you > set up an SPF record that will cause a fail for an IP or > PTR that isn't listed explicitly in the record, and you > send mail from such an IP, then a fail isn't wrong! Either > the policy is wrong outright, or you haven't created a setup > in which you can use non-SPF tokens (such as SMTP AUTH) > to counteract the weight you're assigning to SPF FAIL. So it's important to clarify that without SMTP-AUTH whitelisting or IP-RANGE counterweighting Decludes SPF-implementation shouldn't be used with a strict SPF record that indicates "to the rest of the world" that a legit message from domain-xy.com should come only from our servers IP. > > Do I have to whitelist all local users in order to > avoid false positives. > > Well, what's a local user? If a local user is an AUTHed user, > then use WHITELIST AUTH; if a local user comes from a known > IP range, then you can whitelist that IP if you think > that's safe, or add that IP range to the SPF record (which > will allow for sensitivity to other tests). I don't think > "local user" is really such a helpful term, since it could > cover just MAIL FROM: @example.com (as Declude uses in > short-circuiting some tests), or something more "true." A local user in my terms is anyone that connect to our server and both Imail and Declude handle this as outgoing message. Remote users send (incomming) messages that are delivered to local users. Wouldn't be possible to let declude check for SPF-Records only for incomming messages? BTW: We use Imail v7 without the possibility to whitelist SMTP-AUTHenticated users and without well defined IP ranges from which our customers connect from. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
