> > > > > > What does "correctly setup SPF" mean to you? > > > > so your ip does not generate a softfail or fail > > Only way to make SPF never incorrectly fail/softwail is to use "+all", > but that kind of kills its point :-)
+all is in pass https://datatracker.ietf.org/doc/html/rfc4408#page-8 > (actually, even with +all, some sites will fail it - especially > because of it, as +all is sign of either intentional sloppy spammer > or incompetent postmaster, both likely leading to spam coming from > that site). I am not even sure if I am able to differentiate on this level in my milter. > > > What makes your opinion better than someone else's opinion that > differs? > > > (I take it for granted that someone will have a differing > opinion.) > > > > When you configure your spf your result is either pass, softfail or > fail > > I think we can agree that a correctly configured spf results in a > pass, don't you? > > Well *I* don't. Sometimes, maybe even often, it does. But not always. > > Any SPF, no matter how correctly configured, will lead to false > positives in some cases (e.g. encoutering mailing list or .forward No not, the sender chooses this setup, so there are no false positives. The sender does not want your server to send email from their domain. The only reason I can think of, for allowing fail/softfail is if you do not know your own infrastructure wel enough. .forward should be set to forward with your own email address if spf is configured for external, or if it stays internal, spf should be skipped. > We are NOT living in ideal world where everybody implements every > existing standard. Thus, even most correctly configured SPF will > sometimes softfail/fail, when it should not. > This is just crap. I think 99% of the implemented spf checks are not following your reasoning. It is like you are telling your bank please I would like to use these 2 payment cards to spend from my bank account. And because it is not an ideal world, your bank will allow me to spend from your account?
