On Tue, Jun 30, 2009 at 7:11 AM, Rich Kulawiec<rsk(_at_)gsp(_dot_)org> wrote:
On Tue, Jun 30, 2009 at 10:55:04AM +0100, Ian Eiloart wrote:
However, I do believe that people should take SPF records into account
when deciding whether to generate bounce messages.
Despite the ostentatious claims made by its originator ("Spam as a
technical problem is solved by SPF"), SPF has no anti-spam value.
Nor should it be used when deciding whether to generate a bounce:
the answer to that is always "no". It's far better to reject (not
to mention far simpler, with any sane MTA) and thus greatly diminish
the possibility of outscatter/backscatter spam.
---Rsk
I'm going to agree with Rich that it's better to reject than to
bounce. I can't speak to whether SPF has anti-spam value generally but
my experience with publishing -all records for a number of well known
large sending sites is that it is useful in addressing phishing at the
risk of a small amount of breakage. (Different folks will have
different thresholds for this type of tradeoff) This is particularly
true if used in conjunction with DKIM signing all outbound mail and
making an assertion that one signs all mail. For other types of
senders YMMV.
As far as whether this is empirical or anecdotal, my statements are
based on a corpus of approximately 750 million sent emails with
analysis of outbound MTA logs for immediate rejects/bounces as well as
bounces/DSNs that come in later.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg