spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel McDonald <>
Subject Re: email address forgery
Date Mon, 15 Nov 2010 15:22:21 GMT
On 11/14/10 9:41 AM, "Marc Perkel" <> wrote:

> On 11/11/2010 5:07 PM, Rob McEwen wrote:
>> On 11/11/2010 7:41 PM, Noel Butler wrote:
>>> Really? I don't use SPF in SA, only MTA, if that's the case,  it is a
>>> shame that SA also is behind the times. It was years ago SPF type was
>>> ratified. Justin: Any plans to change that?
>> I guess I'm one of those mail admins who is behind the times. But I
>> don't really care that much because I take the same position as Suresh
>> Ramasubramanian... that SPF is a failed technology because, for one, it
>> breaks e-mail forwarding and there are ALWAYS too many legit e-mail
>> forwarding situations (and legit substitutionary "from" situations--like
>> sending from one's phone) to create problems in comparison to the
>> problems that SPF solves.

I send from my phone just fine - Auth on the submission port to my home
servers, then SPF matches the policy just fine.
> What disturbs me the most about SPF is that it is the most widely
> adopted technology that just plain does not work.

It works perfectly well for what it is intended:  A way to establish a
moderate level of non-repudiation for sent mail.  As a method to validate
domains before whitelisting, it is ideal - lightweight and straightforward.

> It's almost cult like
> in nature. 

I've seen that behavior from the opponents, but that's probably because they
believe it to be some Final Solution to the SPAM Problem, and are unwilling
to consider it for what it really is.

> I'm someone who looks for any trick that works and it took me
> years to figure out any upside to SPF at all and that was very limited.
> I have evolved however from saying it is totally useless to barely
> useful. So I can see why if the SPF standard changed then no one is
> scrambling to adopt it.

> I do think however that there should be some kind of DNS lookup that can
> return information about where legit email for domains comes from. And
> that would have to includes lists of places that are sources of
> forwarded email.

That is also easily accomplished using SPF - just add an include: directive
for each domain that can legitimately forward your mail.  Assuming those
domains also have SPF records created...

Daniel J McDonald, CCIE # 2495, CISSP # 78281

View raw message