wayne wrote:
In <404A190C(_dot_)5070208(_at_)greptar(_dot_)com> Nathan Wharton
<naw(_at_)greptar(_dot_)com> writes:
From what I understand, if a domain hasn't published any SPF
records, or doesn't even exist, I shouldn't be getting an SPF fail
on something from them. Is this right?
That is correct.
So, does this mean a spammer can bypass SPF by just using HELO
bogusdomain.com and MAIL FROM: <>?
If it is, then that has not been my experience. If a bounce comes
from a machine that has a bogus HELO, it gets an SPF fail:
[example from the postfix SPF stuff deleted]
I would say that this is a bug in the postfix policy-spf code.
Then is it a bug in Mail::SPF::Query, then? The postfix policy code is
just a small wrapper around it.