I belive policyd-spf replaces existing headers with its own. I got burnt once already with header_checks, it's a no go.
Getting back to the subject, I agree, it's probably not a big performance impact doing the check twice, especially since the DNS query is cached by the local resolver. I am wondering though, if it's already implemented in the plugin to check for headers, why it isn't working in my configuration? How is internal relays defined, and shouldn't my Postfix server be there? Elod G On 11/18/2015 16:55, Reindl Harald wrote: > > > Am 18.11.2015 um 15:49 schrieb Kevin Golding: >> So returning to your original questioning, changing to checking ALL >> instead of ALL-INTERNAL would result in checking against headers added >> by other relays and would presumably be spoofable. You may feel happy >> with this if you can ensure that any Received-SPF headers are removed >> upon entering your network > > you can't because "/^Received\-SPF.*/ IGNORE" in header_checks would > also remove the own policy-generated header before it enters the > milter and so you can't be sure it's your own >
