Phil Pennock wrote: > On 2009-05-06 at 09:27 +0100, Mike Cardwell wrote: >> Quite a lot of domains have an SPF record of "v=spf1 -all". I never >> found out *why* this is the case, but it is. > > I have the domains: globnix.org globnix.net globnix.com > > The first two are in active use. The third is not used for sending mail > and mostly is a placeholder, which makes it rather convenient for > various tests, where I need a real registered domain. > > globnix.com never sends mail.
Differnt <domain>.<tld> here, but we are much on the 'same wavelength' so far... > .. I used to get joe-job backscatter for it. > Between DomainKeys and the SPF "v=spf1 -all" I no longer get joe-job > backscatter for it. Without either, I get JJB almost never... as in the odd sngleton response to a forgery about 2 or 3 times a year. Now - it may be because only a few such are not themselves forgeries of bounces of forgeries... IOW - if I accepted traffic less cuatously, I might see more. > > There are many issues with SPF and how it relates to forwarding, but if > a domain never sends mail in the first place, then there's no mail to > forward and it's safe to publish SPF records for that domain. > I find it easier to not run anything on port 25, and not publish MX or PTR for that IP. ELSE point at least MX to another server I DO run an MTA on. But that's not a biggie either way... > More, it's polite to publish such an SPF record for that sort of domain, > letting others have a lightweight check to reject inbound spam. > > Regards, > -Phil > Can't disagree with the 'polite' part, either, but ... Here's why I asked: - IF I were to receive incoming purporting to be from, using your example, globnix.com AND the rDNS passed muster, I'd presume you intended to send, and - while making other tests - not have a care as to the presence, let alone 'nuances' of an spf record. Simply put, it tells me nothing any more useful than what is already in front of me. - IF, OTOH, said arrival was a forgery, I'd not need to look at an spf record to determine that, either. Ergo, if I were to recompile with DNSDB (prerequisite), and insert the code for that test .. ... it would be most unlikely to ever 'trigger'. - A 'legit' message would live or die on the credentials of the sending servrr, (rDNS, FQDN in HELO, correct format and MIME-type usage), AND NOT ClamAV or SA finding malware or unwanted content/attachments. - A forgery would not make it past acl_smtp_connect. That said, the code *could* be 'traversed' even if not triggered. And there is my real objection.. Are you making this sort of callout / DNSDB lookup on all - or even a large percentage of traffic transiting? Surely the percentage of arrivals that might have usable information must be small? Very small... Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
