vesely at tana
Nov 21, 2009, 11:56 PM
Post #7 of 7
Gino Cerullo wrote:
Re: How reliable is it to block/reject on SPF fail?
[In reply to]
> On 21-Nov-09, at 3:39 PM, Scott Kitterman wrote:
>> On Sat, 21 Nov 2009 04:29:55 -0500 Thomas Harold
>> <thomas-lists [at] nybeta>
>>> What is the current thinking on rejecting at the SMTP transaction if you
>>> encounter an SPF fail?
>> As others have said, it varies a lot. Personally I think it's generally
>> fine as long as you offer a mechanism for whitelisting of non-SRS
> In addition, whitelisting should really only be used to allow for
> non-SRS forwarders from trusted sources and not as a solution to fix
> mis-configured SPF policies. Of course, temporarily whitelisting a
> mis-configured sender address is fine but it shouldn't be used as a
> permanent solution.
Those limitations only make sense because whitelisting is done by
IP. Whitelisting by sender's authenticated id would allow
fine-grained control --see http://fixforwarding.org/. For a
forwarder, it is easier to use SRS than to obtain proper
whitelisting for each forwarding recipe it sets up, though.
> At some point those mis-configured SPF policies do need to be fixed
> and they won't if we don't fail them.
That's after the lack of an established mechanism to report
"softfail". DSNs are not always sent, while abuse-reporting
mechanisms are still obscure.
> Incidentally, in the five or so years that I've been rejecting mail on
> SPF FAIL I've only ever encountered one false positive and it was due to
> a mis-configuration. They were temporarily white-listed until the policy
> was fixed.
How did you know the forwarder belonged to the sender's side? Until
the policy hadn't been changed, you couldn't have discerned
mis-configuration from plain violation.
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com