> Hi, I have heard that SPF is controversial among mail administrators. Why is that? How many > people use it (on this mailing list)?
It's certainly not a simple subject: anyone who isn't familiar see http://spf.pobox.com/ So long as you're careful, and realise that mistakes might precent mail getting through (whether yours, or your ability to receive other people's), then it seems to me to be a _good thing_. I'm not referring to the domain I'm posting from now, so no point you attempting to check my SPF records :-), but I've published SPF records for a couple of domains, and check for SPF in the MTA (Exim4) when receiving, rejecting at SMTP time anything that gets a hard failure. I'm seeing it reject quite a lot a spam with forged "MAIL FROM" envelope sender. I'm not quite so sure about the use of SPF inside SpamAssassin, as it hasn't necessarily got access to the full information that the receiving MTA would have. I've looked at the code in SpamAssassin, but have forgotten some of the details. It presumably has to poke through headers looking for any evidence of the sending IP address, the MAIL FROM, and the HELO, whereas all these would be self-evident to an MTA. That said, I can't see its use in SpamAssassin doing any harm, as it just contributes towards the score like everything else. -- Clarke Brunt
