On Sat, Sep 12, 2009 at 09:02:35AM -0700, John Hardin wrote: > On Fri, 11 Sep 2009, MySQL Student wrote: > >>> are you recieving forwarded emails from spf domains ? >> >> If I understand correctly, no. I have no relationship with any external >> source and their SPF records. >> >>> if so add the forward ip to trusted_networks (so spf will be disabled >>> from this hosts) >> >> Do you mean to avoid the processing overhead? IOW, don't bother >> checking SPF records for trusted domains? > > One of the problems with SPF is that someone who sets up forwarding (e.g. > you have a gmail account, and you set it to automatically forward > messages to your "real" account) breaks SPF checks for messages received > via the forward. If I send a mail to your gmail account, and google > forwards it to your real account, your MTA will see a message from an > @impsec.org address originating from an MTA that my SPF record says is > not a valid source. SPF fail.
Bad example, gmail rewrites forwards properly coming from y...@gmail.com. > If you tell SA that google is trusted, that pushes the SPF test point > back one step - where did *google* receive the message from? > mail.impsec.org? Okay, then - SPF pass. PS. SPF is checked on internal, not trusted border. Even though they are the same for most people.. and I don't think you can disable SPF checks in any way except fully.
