On Nov 28, 2007, at 11:26 AM, Dean Brooks wrote:
On Wed, Nov 28, 2007 at 11:06:40AM -0600, Matt wrote:
Your spf record is broken:
dovecot.org. 39942 IN TXT "v=spf1 a -all"
Care to tell also why? dovecot.org's mails are sent from the same
IP as
its A record.
Hmmm. I would have listed mx as well but thats just me. But just
listing a is likely better in that there are less lookups for the
receiving system.
One thing that bugs me is why we must now implement domainkeys on top
of SPF. SPF pretty much does everything domainkeys does but simpler.
Because SPF is a broken hack that doesn't properly accomodate the
forwarding of email without the use of other complicating hacks
such as SRS which mangle the sender address.
SPF should have been scrapped years ago. Instead, most large
organizations use "?all" in their SPF entry (typically because of the
forwarding problem), putting SPF in advisory mode which negates the
whole purpose of having it anyway.
I disagree.
The only way you should be using SPF on the receiving end is as an
additional weight for spam scoring.
That covers forwarding, ddns home users, and misc other issues. Not
only can you not be assured that an email is sent from a particular
host, but you can't be assured everyone's upstream DNS has cached
your record properly. IMHO, to assume a DNS record is going to be
kept up to date and correct 100% of the time is just silly. By
requiring an exact match to prevent a rejection, those who do this
are risking many outright rejections which negatively affect their
perceived service levels.
Rick
