[EMAIL PROTECTED] wrote: > I'd love to implement SPF checks in SA rather than having to run two > milters on our sendmail, but there's a fundamental flaw in the > whitelisting for SPF.
SPF based *whitelisting* isn't in a currently releases version of SpamAssassin. Although it will be in 3.1.
SPF checks, however, are in current versions of SpamAssassin.
> It looks like the whitelist applies to internet domains or email > addresses. Whitelisting those automatically defeats the purpose of > SPF.
Again SPF checks aren't whitelisting. The SPF checks in SpamAssassin give no benefit for an SPF PASS. There is a penalty for SPF FAIL though. That is, if the message fails an SPF check the message's score is increased. The score is NOT reduced when the message passes an SPF check.
SPF, by itself, is NOT a method to stop spam. It only serves to verify a mail is from the network of the domain it claims to be from.
> If you whitelist (bad example, but...) [EMAIL PROTECTED], you play into the > spoofer's hand by allowing any mail from that domain to pass.
Well, if you were to *whitelist* [EMAIL PROTECTED], that would be what you are asking for, ie., any mail from that domain to pass.
The SPF checks simply check to make sure that mail is from the network it should be for mail originating from a particular domain.
Again, there is currently no method in SpamAssassin to *whitelist* a domain based on an SPF check. However, if there were (and there will be soon), mail would have to come from the network described in that domain's SPF record for it to pass the SPF whitelist. A spammer couldn't send mail from their own network pretending to be some other domain (that's the whole point of SPF).
> The > "correct" whitelisting method would be to whitelist trusted IP > addresses.
Feel free to use whitelist_from_rcvd for your whitelisting needs. SPF checks have nothing to do with whitelisting in current SpamAssassin versions.
Daryl
