[plug] Sender Policy Framework (SPF)

[Craig Ringer]

Nick Bannon wrote:

> Right now, as you were probably referring to, the fact that an email has
> passed SPF validation means that it's probably spam.
> http://www.ciphertrust.com/spf_stats

Most frustrating, isn't it ;-)

I'm inclined to demote SPF fails in spam scores but not promote SPF 
passes. IMO this is just logical, and the fact that spammers are 
exploiting others' misconfigured spam filters merely makes it more 
important to implement.

> However, looking into it, my scepticism has gone up a notch with regard
> to SPF being anything other than an advisory mechanism.
>  * It's tacking its extra meaning into DNS TXT records - fine for
>    experimentation, but we're not meant to use that forever, are we?

I believe there was a _lot_ of discussion about that one ;-) . It's not 
easy to get DNS admins to update working software, and TXT is already 
out there. I guess they could change later, but I'd be surprised if it 
ever happened.

>  * SPF records aren't self contained, or even strictly hierarchial. You
>    can recurse by including any other domain's SPF records!

Yikes.

> Tagging mail with SPF results should be useful, but rejecting mail
> based on SPF results seems dangerous.

I must firmly agree there. I may eventually quarantine SPF fails, but am 
unlikely to reject them flat out in the near future.

--
Craig Ringer