On Wed, 18 Nov 2015 14:37:38 -0000, Elod G <gye...@gmail.com> wrote:
The SPF plugin is already checking for the the standard Received-SPF and Authentication-Results headers. Those headers are added by the SPF policy server and used by other milters. It is just the SA milter that is not finding them because of a mis-configuration, I believe.
The documentation for ignore_received_spf_header <https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_SPF.html> seems to imply that SA should utilise the header as you believe:
"By default, to avoid unnecessary DNS lookups, the plugin will try to use the SPF results found in any Received-SPF headers it finds in the message that could only have been added by an internal relay."
So returning to your original questioning, changing to checking ALL instead of ALL-INTERNAL would result in checking against headers added by other relays and would presumably be spoofable. You may feel happy with this if you can ensure that any Received-SPF headers are removed upon entering your network, but if you can't be sure of that you potentially open yourself up to problems regarding any whitelisting you may undertake (not uncommon with phish targets).
It may be more productive to work on another angle.
