On Wed, 21 Mar 2007 13:12:27 -0700, Jo Rhett <[EMAIL PROTECTED]> wrote:
>On Mar 6, 2007, at 11:45 AM, Raul Dias wrote: >> I was thinking about adding spf checking support directly in the MTA. >> This would allow messages that fail spf to be instantly blocked. > >Bad idea, and not recommended even by the maintainers of OpenSPF. > >> Also, many webservices (like contact forms, php generated messages) >> forge the sender address (usually to the recipients address). >> >> How do you guys deal with this? >> 1 - Dont enable spf at mta level (leave it to SA) > >Yes. Score it high, but use whitelist senders and/or whitelist hosts >to adjust for individuals. > >> 2 - Enable spf at MTA, but keep monitoring and whitelisting broken >> sender. > >Way too much work. Interesting. My MTA has options for hard and soft fail. Should I choose I could bounce on hard fail and leave SA to deal with soft fail. All of the above accepted, I don't rate spf that highly. With legit users that move day to day (so IP to IP) spf is great in theory - just not quite so hot in practice.... /me watches his 2c fall into MS/Yahoo coffers... :-D
