On 04/01/2006 5:39 PM, Matt Kettler wrote:
mouss wrote:
What happens with the _spf version if
- the domain allows any client to send ?
Thus, don't use the SPF whitelist form domains you don't trust to be non-malicious. Then again, if you don't trust them to be non-malicious, you probably shouldn't be whitelisting them anyway.
Just to elaborate... whitelist_from_spf REQUIRES an SPF_PASS. An SPF_NEUTRAL (or any other) result will not trigger a whitelist hit, so senders matching a "?all" at the end of an SPF record will not trigger a whitelist hit. This is what makes whitelist_from_spf safe to use.
For "any client" to match an SPF based whitelist the site's SPF record would have to contain a "+all" token or something logically equivalent.
Daryl
