David Woodhouse wrote:
I would consider bypassing SMTP verification
callouts for sender addresses when there is an SPF/Sender-ID 'PASS'
result, yet I would never consider actually rejecting mail due to a
'FAIL' result.
You would never? I do; on SPF "classic" FAIL, that is. And with no qualms
about it either. "Be-FAIL ist be-FAIL", as a German would say. :)
I mean, seriously, I do so on the grounds that I am not even executing MY
local policy, but that of the remote domain owner. Worried about losing
legitimate mail? Why, that is a consideration made by the domain owner who
published the "-all" SPF record. He apparently felt comfortable with that.
And I just respect his wishes.
Furthermore, I attach the greater legal risk at accepting mail, in case
where FAIL was prescribed. Not perhaps with your average vanity domain
(Lord, I hate that term); but if a large financial institution says "FAIL
this fake email, pretending to be from me, coming from a relay I have not
authorized to send mail on my behalf," you can bet I will err on the side of
caution, and REJECT according to their policy.
We get spammers publishing their own records quicker
than legitimate users do, proving that the only thing we've achieved
at the end of it all is to 'reduce' it to... almost precisely the
same problem -- only now we get to rate the trustworthiness of
_domains_ rather than IP addresses.
Which is a hundred times more easy than managing individual, ever changing
IP addresses/ranges. Blocklists based on domain names were pretty useless
before SPF. But now they are hopefully coming back in fashion. And will make
the New World perhaps not Braver, but easier, I hope. :)
Regards,
- Mark