On Wed, 9 Dec 2015, Alex wrote:
Please help me understand why SPF_FAIL would not be triggered when an
incoming email using my domain is received by a server that is not in
my SPF record.
I think you mean, *FROM* a server that is not in your SPF record.
SPF says nothing about the *recipient* MTA.
Unless that recipient MTA is my own, correct?
No. The recipient *does not matter*. SPF is vetting the *sending* MTA.
The SPF record contains a list of servers that are allowed to send
mail using my domain, including to my own MX.
Correct.
This can't be used for spoof protection for my own domain as easily as
for remote systems to ascertain whether an email received by a remote
system was sent legitimately from one of our systems?
Yes, it can be used for that purpose. That does not mean the recipient
matters. Your MTA is just another MTA using SPF to validate the sending
MTA.
However, that MTA also has the added burden of correctly classifying email
received from internal sources that do not appear in your public SPF
record.
SPF_FAIL should not be triggered when somebody else's MTA (which will not
be in your SPF record) receives a message using your domain *from* your
MTA (which will be in your SPF record).
If SPF_FAIL triggers in that situation, then SPF is pointless.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
6 days until Bill of Rights day
