On 06/10/2010, at 9:37 AM, Noel Butler wrote: > On Tue, 2010-10-05 at 23:46 +0200, mouss wrote: >> Le 04/10/2010 23:03, Terry Gilsenan a écrit : >>> Configure postfix to use SPF, and setup an SPF record in DNS for that >>> domain. >>> >> >> then what? you reject mail because of spf fail? that would lead to false >> positives... >> >> > > We've used it for years, had very little complaints, maybe half a dozen in > all that time. > SPF is a "must use" IMHO, and by use of "-all" ... providing you configure > your DNS correctly.
...and then a user puts in a .forward file (or equivalent) to send mail to another address. Now SPF if broken on the forwarded account as your mail server very likely doesn't have an SPF record for the original sender. Ooops - SPF is broken in these situations and therefore can't be used to arbitrarily reject messages on SPF failures. The best it can do is be added as a heuristic to an overall message evaluation (spamassassin et al). Cheers, James
smime.p7s
Description: S/MIME cryptographic signature
