Frank Ellermann wrote:
in a scoring-based scheme, mail purportedly coming from a
domain that has published SPF records but not getting a
"pass" is considerably more likely to be spam than mail
coming from a domain that has not published SPF records at
all.
That's IMHO a bad idea. ?all should be the same as "no SPF".
Of course it should, that's what the spec. says.
You could still use PASS in your scoring somehow. Or if you
have identified domains where you insist on handling ?all like
~all you could use your own overwrites only for these domains.
hotmail.com is good example here. The current caller-id record for hotmail.com
has the equivalent of ?all. But virtually every mail I receive that isn't sent
through hotmail (and hence comes back with a "neutral" result) is spam. Hence
it would appear to be useful to score against the "neutral" result.
Now since I fiddle the scores of my own procmail-based spam filter manually,
I've been able to fix this to my satisfaction. However, someone using an
out-of-the-box Bayesian-style spam filter (e.g. the one that's built into
Mozilla) might not be able to do that. If their MTA puts "Received-SPF:
neutral" into all such mails and most of them turn out to be spam, the scoring
system of that filter will weigh against the neutral result no matter what the
spec. says - the filter obviously isn't aware of the SPF semantics and just
scores the Received-SPF: header the same as any other. This is in fact one of
the reasons the Received-SPF: header is there in the first place - see
http://spf.pobox.com/newheader.html :
When an SPF query returns any other result, the MTA should add an advisory
header to the message of the form "Received-SPF: neutral" or "Received-SPF:
pass". That way, a spam filter further down the road can take that header
into account as part of a more balanced decision.
Paul.