Hi, I have a few questions about SPF as it relates to spamassassin, and more specifically, as it relates to stopping incoming phishing attempts, and assumes we're using "-all".
I'd like to make sure incoming mail that appears to be "From:" one of our internal users has indeed gone through one of the systems specified in the SPF record, resulting in an SPF_PASS. Will all other mail with our domain in the "From:" result in an SPF_FAIL? Will a rule need to be created to mark as spam any of those that lack any SPF info at all? I believe the KAM rules (KAM_LAZY_DOMAIN_SECURITY, for example) will catch some of these, but in the specific case of domain spoofing/phishing, we wish to block all incoming attempts that aren't authorized. While the MX systems are all Linux, the outbound are Exchange, limiting our ability to install DKIM, thereby also limiting the effectiveness of a DMARC effort, I believe. I was thinking of just creating a DMARC TXT entry for the domain, but SA doesn't have rules that act upon this info? I believe I can use DMARC without DKIM, as long as SPF is implemented properly. Hopefully my situation is clear. I'd like to know the best approach to go about blocking spoofed email with spamassassin for a domain with an SPF record and, possibly, a DMARC record as well. Thanks, Alex
