On Jul 4, 2010, at 11:57 PM, Marc Perkel wrote: > It's not even useful for white listing as spammers can set up SPF too.
That's not how whitelisting on SPF works. You don't whitelist *solely* on the presence of SPF. You whitelist the *combination* of a domain that you want and a positive SPF match. Let's say you want to whitelist mail from example.com, and you don't want to worry about keeping track of their outgoing servers. You set up whitelisting using SPF such that... 1. Mail from example.com that doesn't pass SPF => neutral, go through normal filtering 2. Mail from example.com that DOES pass SPF = > whitelisted 3. Mail from random spammer's domain that passes SPF => neutral, go through normal filtering Multiply steps #1 and #2 by however many domains you want to whitelist, and it's a lot more convenient than keeping track of all their IP addresses yourself, especially if they have a lot of them or change them from time to time.. That's how SpamAssassin uses SPF to whitelist mail. (See the docs for whitelist_from_spf and similar rules.) Notice that it really doesn't matter whether spammers set up their own SPF rules. Actually, you could make use of spammers' SPF records in some circumstances by adding a fourth possibility: 4. Mail from known spammer's domain that passes SPF => blacklisted OK, that fourth possibility isn't likely to crop up very often, but it's still taking advantage of spammers using SPF...which, once again, doesn't interfere with SPF's usefulness as a component of whitelisting.
