Dnia 10.06.2023 o godz. 17:33:06 Gerd Hoerst via Postfix-users pisze:
my entry e.g.
600 IN TXT "v=spf1 a mx -all"
that mean all servers listet in MX enrties of my domain are allowed
to send emails from my domain....
So if you receive an email from my domain which are not sent from
one of those servers you can (if you want) put them in spam
On 10.06.23 23:18, Jaroslaw Rafa via Postfix-users wrote:
The original question was about a very specific SPF record, where the only
entry is "-all".
This SPF should be treated specially, as it indicates clearly that the
domain owner does not intend to send any mail from this domain, ever.
Note there is also RFC 7505 "Null MX" where you simply add "IN MX 0 ." to
any DNS name you wish not to send or accept e-mail. (this is designed to
work around implicie MX records when A record is present).
So I would say in this case the spam signal is much stronger than with any
other SPF record (ie. for domains that DO actually send mail), and
regardless of how you treat SPF failures from other domains, you SHOULD
reject mail from domains that have this specific type of SPF record (why
accept mail from a domain that is not supposed to send any mail at all?).
looks like spf-engine's pyspf-milter and policyd-spf-python support option
"No_Mail = True" to explicitly reject mail in this case even if SPF is not
enforced.
However, this is a bit hard to do, as all existing SPF checking tools that I
know do not treat this particular type of SPF record specially and don't
distinguish SPF failure on this kind of record from SPF failure on any other
type of SPF record. I would love to have a SPF tool that would mark SPF
failure on a domain that has only "-all" as a special case, something like
"absolute failure" while all other failures are just a "failure". Then I
could reject messages that fail SPF "absolutely" and just ignore "normal"
SPF failures (as I don't intend to check SPF on incoming mail from "normal"
domains and don't actually do it now). However, I don't know any tool that
makes this distinction and I'm not desperate enough to write my own ;).
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
