>> Configure your policy service to reply with REJECT if you wish for >> it to reject mail that fails SPF. >>
I think that I have that correct already [...] HELO_reject = Fail Mail_From_reject = Fail PermError_reject = True TempError_Defer = False [...] >> The rest of your configuration is fine. >> Okay, So I will have to investigate that some more. > I've found that legitimate mail fails SPF too often to reject. Problem is > system administrators don't keep the policy up to date as the network > changes, or they don't understand SPF. > > I think SPF is good for spam score but shouldn't reject based on it alone. I have discussed this so many times with other server owners! I have changed my mind on this more than once now. Finally I think I believe in the practice that if the SPF, or DKIM, or DMARC record is published then its the system administrators job and responsibility to make it correct. Or dont publish it, period. Its too much work for me to be the spam police for my network AND be the system administrator police for other networks. I think that if they are responsible and just make a mistake then they will see the replies in the logs and fix it. If they do not fix it then they are not responsible and there is probably more from that network that I dont want. On content in the body I agree of course that only scoring is the best approach to it.
