On 09/05/2024 22:47, Bill Cole wrote:
On 2024-05-09 at 08:37:06 UTC-0400 (Thu, 09 May 2024 14:37:06 +0200)
Benny Pedersen <m...@junc.eu>
is rumored to have said:
Bill Cole skrev den 2024-05-09 14:22:
In fact, I can't think of any whitelist test that should pass if SPF
fails.
If you operate on the theory that a SPF failure is always a sign of
spam, you can make your SpamAssassin always trust SPF failures
absolutely. I would not recommend that. Some people screw up their SPF
records. Other people forward mail transparently, which reliably breaks
SPF. SPF is broken *by design* as a spam control tool AND as a mail
authentication tool. We knew this 20 years ago, but it remains a useful
tool if you work with its limits rather than assuming that they do not
exist.
spf domain owner asked for hardfails, so why not score spf_fail as 100 ?
:)
I believe that has been covered in extreme detail and redundancy here
and in other email-related fora MANY times over the past 20 years.
Domain owners do not KNOW all the paths their mail follows, even when
they think that they do. Users frequently find ways to break SPF without
doing anything wrong.
It's not often I agree with what Benny says, but this is one of them.
So what? domain owners state hard fail it SHOULD be hard failed,
irrespective of if YOU think you know better than THEM or not, if we
hardfail we accept the risks that come with it.
This is why SPF should always be handled separately by a milter, so a
hard fail wont make it to spamassassin or others who think they can
ignore a domain owners wishes.
--
Regards,
Noel Butler