Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Help

SPF Softfail

 

 

SPF help RSS feed   Index | Next | Previous | View Threaded


mark.hale at gmail

Aug 7, 2007, 8:52 PM

Post #1 of 4 (2133 views)
Permalink
SPF Softfail

Hi. I am new to spf but have been suing the jspf implementation with
James with good results. I had a question about softfail and my
application. I am looking for anyone's advice about practical
experience.

I would like my application to be able to receive email from a user
registered on our system. I would not like someone to spoof and send
in email that looks like it is from a user.

I am wondering about softfail since I notice that in my beta testing
that many organizations use ~all which is causing the softfail for
valid emails. Is there any guidance on what I can do to further
verify that the email is not a spoof or practical experience on
whether spoof email would not just fail and give a softfail?

Your expertise is appreciated.

Mark

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=29344910-b7e25f
Powered by Listbox: http://www.listbox.com


scott at kitterman

Aug 7, 2007, 8:59 PM

Post #2 of 4 (2044 views)
Permalink
Re: SPF Softfail [In reply to]

On Tuesday 07 August 2007 23:52, Mark Hale wrote:
> Hi. I am new to spf but have been suing the jspf implementation with
> James with good results. I had a question about softfail and my
> application. I am looking for anyone's advice about practical
> experience.
>
> I would like my application to be able to receive email from a user
> registered on our system. I would not like someone to spoof and send
> in email that looks like it is from a user.
>
> I am wondering about softfail since I notice that in my beta testing
> that many organizations use ~all which is causing the softfail for
> valid emails. Is there any guidance on what I can do to further
> verify that the email is not a spoof or practical experience on
> whether spoof email would not just fail and give a softfail?
>
> Your expertise is appreciated.
>

In general, ~all is supposed to be for testing. The idea is that once a
record is tested, it would be changed to -all.

What I know some people have done is keep a list of commonly forged domains
(e.g. aol.com) and then they reject ?all or ~all from those domains.

My general advice is to not go beyond what the domain owner tells you and not
reject those mails. It would be reasonable to subject them to some
additional tests or spam filtering. That'd be up to you.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=29345925-6cb4d9
Powered by Listbox: http://www.listbox.com


spf at beer

Aug 7, 2007, 11:59 PM

Post #3 of 4 (2045 views)
Permalink
Re: SPF Softfail [In reply to]

> I would like my application to be able to receive email from a user
> registered on our system. I would not like someone to spoof and send
> in email that looks like it is from a user.

SMTP-AUTH is the technology to use for that. SPF is about stopping
fraudsters impersonating your domain, rather than your users...

Vic.

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=29355524-aff0e6
Powered by Listbox: http://www.listbox.com


paddy at panici

Aug 8, 2007, 3:27 AM

Post #4 of 4 (2068 views)
Permalink
Re: SPF Softfail [In reply to]

On Wed, Aug 08, 2007 at 07:59:22AM +0100, Vic wrote:
> > I would like my application to be able to receive email from a user
> > registered on our system. I would not like someone to spoof and send
> > in email that looks like it is from a user.
>
> SMTP-AUTH is the technology to use for that. SPF is about stopping
> fraudsters impersonating your domain, rather than your users...

auth is only half the picture. without something like spf, what
is there to distinguish between legitimate and forged mails doing:

MAIL FROM:<foo [at] example>
RCPT TO:<foo [at] example>

Regards,
Paddy

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=29393556-c34d46
Powered by Listbox: http://www.listbox.com

SPF help RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.