Mike Jackson wrote: > Before my actual question, here's a little background. Right now, I > see how pointless SPF is; few domains publish records, even fewer MTAs > running in the wild use SPF to accept/reject mail. When I look at the > SPF scoring on my server (where I'm running an SPF milter for > Sendmail), most of the mail with neutral SPF answers were sent from > servers that should in no way be authorized to send mail for the > domain. So, it got me thinking... I wouldn't say SPF is pointless.. I would however say that many people expect it to be more than it could ever possibly be. > > Shouldn't mail be sent through the MX for a domain? Not if the domain is of any decent size.. Using different servers for outbound vs inbound mail is a very common load balancing tactic for large sites.
Which is why SPF was created in the first place, because you can't assume that mail is sent by the MX. > > Yes, I know MX records are for receiving mail, but in common practice > the servers they represent do double duty, both receiving mail from > the outside world and allowing users to send mail as well. At tiny sites, that's true. At large ISP's it is exceptionally rare. > Somewhere in the Received: headers, it seems like you would see one of > the MXes as a sender on most legitimate messages. Really? Have you really checked that for any large domains? How about this message? What about a message from gmail? aol? comcast? > I'm sure someone's had this idea before (it's so obvious that I can't > believe that they wouldn't), but there must be some reason it's not > used as a flag for incoming spam. I've been thinking about investing > some time into writing a SpamAssassin plugin that would check the > Received headers for signs of an MX for the sender, but would I be > wasting my time? > You'd be wasting your time. If a site's own administrator has a hard time conclusively generating a list of all servers that originate mail for his own domain, how do you expect to be able to do better as an outsider?
