Chris Santerre wrote:
Second, I believe SPF records can be spoofed
Only to the extent that any DNS record can be spoofed.
use in a disposibal manner.
In the sense that you can create any SPF entry you want... for your own domain. I could set one up with "+all" indicating that mail sent via any server on the Internet using my domain should be considered valid. I could buy up 100 disposable domains and put SPF on all of them.
That's why an SPF pass was never intended to bypass filters by itself... but it can be used to decide whether an address is reliable enough to check it against a whitelist.
Within the SpamAssassin scoring paradigm:
whitelisted domain without SPF = no rule triggered whitelisted domain with SPF pass = apply nice rule & subtract points
Yup. Currently it's -7.5 for the whitelist match & SPF pass and then another -7.5 if the envelope sender and header 'From:' match, for a total of -15 like the current whitelist_from_rcvd.
whitelisted domain with SPF fail = apply forgery rule & add points
I had considered also adding a rule for whitelisted domains that failed an SPF check, but thought (for the time being anyway) it'd be best not to penalize them anymore than the current SPF fail rule since many domains don't have up-to-date SPF records (often because they forget to add a webserver that sends out mail directly).
(I'm assuming that's how the feature is to be implemented, because that seems to me the most reasonable way to do it.)
Daryl
