On 07/23/2013 03:30 AM, Chris Angelico wrote: > On Tue, Jul 23, 2013 at 7:19 PM, Chris Angelico <ros...@gmail.com> wrote: >> Ah, there's a solution to this one. You simply use your own >> envelope-from address; SPF shouldn't be being checked for the From: >> header. > > There's an example, by the way, of this exact technique right here - > python-list@python.org sends mail to me with an envelope-from of > "python-list-bounces+rosuav=gmail....@python.org" - which passes SPF, > since python.org has a TXT record designating the sending IP as one of > theirs. It doesn't matter that invalid.invalid (your supposed domain) > doesn't have an SPF record, nor would it be a problem if it had one > that said "v=spf1 -all", because that domain wasn't checked. Mailing > lists are doing the same sort of forwarding that you're doing.
This is good and all, and I think I will modify my local postfix mail server I use for personal stuff, just for correctness' sake. I hadn't spent much time studying SPF in depth before, but after reading your comments (which were insightful) I'm now more convinced that SPF is worthless than ever, at least as a spam prevention mechanism. Spammers can use throwaway domains that publish very non-strict SPF records, and spam to their hearts content with random forged from addresses and SPF checks pass. The only way around that is to enforce SPF on the From: header in the e-mail itself, which we all agree is broken. I've been reading this: http://www.openspf.org/FAQ/SPF_is_not_about_spam Not very encouraging. When the other expensive options for going after spammers who have valid SPF records, they propose domain blacklists as a solution. -- http://mail.python.org/mailman/listinfo/python-list
