Am Montag, den 25.05.2015, 16:27 +0200 schrieb Sebastian Nielsen: > I would suggest explicity null:ing the SPF signature instead of passing it, > for list mail. > This is done with "v=spf1 ?all" > > A "null" SPF signature is same as no signature at all (same as if the SPF > record didnt exist at all), which will pass your mail into your mailsystem, > but the mail will not be explicity marked as genuine.
Thanks, that's a good point, changed that! > A even better idea for your list subdomain is to make the SPF record > low-TTL, and then use a script/webinterface or whatever to update the list > of authorized IPs everytime you subscribe to a new mailing list. > > Then you don't risk that your list subdomain become a phishing source due to > that it allows fraudulent source adresses. Another thing is that your domain > (not IP) risk getting on spam blocklists (RBL) if spam is found > out to have a authorized SPF signature, which can happen if someone spoof > your email domain. Need to think about that, thanks. However, right after sending the first mail to this list, I checked the query log of my primary DNS (can't check the secondary), and found >1000 queries for mail._domainkey.lists.microscopium.de TXT >100 queries for _dmarc.lists.microscopium.de TXT <10 queries for lists.microscopium.de TXT/SPF and microscopium.de TXT/SPF I wonder why I see so few SPF queries, is SPF far less popular than DKIM, or do these queries go elsewhere (to postfix.org)? Cheers, Robert -- Robert Senger