>On 01/26/2017 01:29 PM, Reindl Harald wrote: >> >> SPF_NEUTRAL will NEVER hit SPF_PASS and that's the problem with ?all >> >SPF mechanisms are evaluated in order, and each one has a result type >associated with it. The default result is "+" for "pass". Another type >of result is "?" for "neutral."
>The record, > v=spf1 ptr:yahoo.com ptr:yahoo.net ?all >is equivalent to > v=spf1 +ptr:yahoo.com +ptr:yahoo.net ?all >and it means > a) PASS if "ptr:yahoo.com" matches > b) PASS if "ptr:yahoo.net" matches > c) NEUTRAL if "all" matches I understand what their SPF record means and how it works but what they are publishing in their SPF record is not common. Normally this would expand out to a list of IPs and CIDRs or DNS records that can be turned into IPs that postwhite can use to build a list for bypassing RBL checks. Their SPF record can really only be evaluated by the MTA during the SMTP conversation. This would require some mail log parsing to extract out IPs that have already been seen by your mail server and not be able to be determined in advance. This would be better than nothing but is not ideal. The main problem with parsing mail logs is the chicken-and-the-egg issue where you may block a Yahoo mail server with an RBL for a short period until you process the logs. I think they publish their SPF like this because they have no good list of outbound mail servers themselves so they take the lazy approach. Postfix is pretty flexible so maybe there is a way to allow this by the PTR when the FCrDNS matches. You wouldn't want to rely on just the PTR record alone since that can be easily spoofed by a spammer with control of their reverse DNS zone for their IPs. FCrDNS would make that very difficult to spoof and I am pretty sure this is the only way Postfix would allow it to pass it's check.
