spf-discuss
[Top] [All Lists]

Re: Backup MX + SPF?

2004-06-04 04:38:29
begin  Friday 04 June 2004 12:42, Paul Howarth quote:
Remember that you're only trusting the MX hosts for a mail domain that you
are hosting (so you must already have some trust level for that domain),
and only then for mail for a recipient in that domain. There's no trust
relationship for that MX for recipients in any other domain.

Remember also that SPF is not really an anti-spam technology in the first
place, and there are many ways for spammers to get around it, e.g. by
spoofing a domain that doesn't have an SPF record. If all the MXes for a
domain do SPF checks, then the spammer can't gain an advantage by choosing
the secondary MX anyway.

Regards, Paul.

In addtion to the points, also consider what would happen _if_ the
primary MX could enforce SPF on the backup's behalf (for instance by
inspecting the Received: line that was inserted by the backup).

Your primary would notice that an unauthorized MTA would have
submitted the mail to the backup... But what would it do then?

 1. Reject it. Not good, as in that case, the backup would generate
    a bounce to the known-forged sender!
 2. Discard it. Not good, as in that case, we'd have a silent failure
    in the unlikely event that SPF wrongly categorized the mail as a
    forgery.

===> Thus the only solution is to have your backup run the same SPF
tests as the primary does.

Regards,

Alain


<Prev in Thread] Current Thread [Next in Thread>