On Nov 28, 2007, at 12:08 PM, Udo Rader wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rick Romero wrote:
On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
Your spf record is broken:
dovecot.org. 39942 IN TXT "v=spf1 a -all"
Care to tell also why? dovecot.org's mails are sent from the
same IP as
its A record.
Hmmm. I would have listed mx as well but thats just me. But just
listing a is likely better in that there are less lookups for the
receiving system.
One thing that bugs me is why we must now implement domainkeys
on top
of SPF. SPF pretty much does everything domainkeys does but
simpler.
Because SPF is a broken hack that doesn't properly accomodate the
forwarding of email without the use of other complicating hacks
such as SRS which mangle the sender address.
SPF should have been scrapped years ago. Instead, most large
organizations use "?all" in their SPF entry (typically because of
the
forwarding problem), putting SPF in advisory mode which negates the
whole purpose of having it anyway.
I disagree.
The only way you should be using SPF on the receiving end is as an
additional weight for spam scoring.
Some time ago there was a similar discussion on the postfix ML and
I had
pretty much the same arguments that you had.
But as a matter of fact, I got corrected. The major problem with even
scoring is that the only things spammers have to do (and they
really do
it!) is to register some new domain, enter valid SPF records for it
and
then their scoring might even improve.
I only give negative points for non-matching records. No positive
points. (Unless I misconfigured something, that's how I believe -
and want - it to work).
The idea being that even if the record doesn't match, if it's a valid
email you won't have enough other negatively scoring components to
completely drop it.
If there is a negative match on spam then we're also compensating for
changes in the structure of the email that might get it past bayesian
filters.
If there is no record, or a positive match, then IMHO we're really
neither better nor worse off.
The 'spammers create domains' argument almost negates the sender
verification system entirely - assuming you're giving positive points
for any valid records.
Rick
- --
Udo Rader
http://www.bestsolution.at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iD8DBQFHTa6BuhFd84GLxP8RAh2uAJ43FN6z1DZkEP6Uun0CxnuA+iSukQCfcqiY
bSBpLiK6MmDvahOLmYt0lTc=
=zmqd
-----END PGP SIGNATURE-----