Eric,
The default setting for SpamAssassin is to enforce SPF as directed
(which means: soft-fail for ~ matches, hard fail for - matches, and
ignore for ? matches).
The operative part for me (since both qmail-smtpd AND SpamAssassin are
apparently checking SPF) is the part where I ensure that my hosted mail
domains are using a *-all* at the end of their SPF declarations. I'm not
really worried that we're checking SPF
The problem, in my experience, is that people setup SPF with a ~all at
the end to "test" and then never go back and change it to a "-all" --
thus, they're forever "just testing" and thus telling mail servers
essentially that they should be ignoring SPF after all (or, using it
solely as part of your SPAM ranking).
I mentioned a Wiki article -- the other one I'm working on is the use of
DMARC -- which is a facility whereby you can get reports from larger
ISPs about how mail from your domains are being processed. You can
choose to get aggregate reports (that is, summaries of all connections),
or just error reports.
I have DMARC records on the qmailtoaster.com domain... and I routinely
get error responses like the one here:
This is a spf/dkim authentication-failure report for an email message
received from IP 113.190.1.230 on Fri, 22 Nov 2013 12:52:47 +0800.
Below is some detail information about this message:
1. SPF-authenticated Identifiers: none;
2. DKIM-authenticated Identifiers: none;
3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism
check failures;
For more information please check Aggregate Reports or mail [email protected].
The email also includes full headers for the rejected message(s) --
which in this case is someone trying to send out SPAM as
*[email protected]* DIRECTLY from the above IP address.
(The only legitimate source of messages from
[email protected] is our mailserver @ 80.254.129.244.)
While this doesn't help me to block messages from 113.190.1.230, it DOES
help me to know that my SPF settings are working... and if I get one of
these messages from a legitimate source (like the proverbial
"my-marketing-company", who sends out email SPAM on my behalf [well, I
don't think it's SPAM, only 99% of the recipients think its SPAM!], then
I know I need to adjust my SPF settings to allow those messages.
No one ever said e-mail was easy -- it's only the USERS who think it's
easy! :-)
Dan McAllister
IT4SOHO
QMT DNS/Mirror Admin
On 11/22/2013 11:49 AM, Eric Shubert wrote:
We're planning to move the stock QMT in the direction as Dan describes.
On 11/22/2013 09:01 AM, Dan McAllister wrote:
and I enforce SPF with a 3 in spfbehavior (and in SpamAssassin).
I wonder about this though. Since you're enforcing SPF, what's left
for SpamAssassin to do regarding SPF? Some rule that will score ~all
configs?
Just wondering.
--
PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
