Andriy G. Tereshchenko wrote:
What do you mean by dictionary attack for "exists:%{l}.spf.example.com" ??
A spammer who sees the "exists:%{l}.spf.example.com" could say "oh, let me
try if I can find a local parts that exists" and then try
host john.spf.example.com
host mary.spf.example.com
etc.
Are willing to allow some users to send emails from any IP ?
Yes, mail via a forwarder that does not do SRS.
This is non-sense - you must use "exists:" to configure SPF on per-user
basis, not bypass.
Don't worry, you will not find out a local part so that %{l}.spf.example.com
exists.
I agree with you that bypassing SPF using "exists:%{l}.spf.example.com" is
clearly a misconfiguration !
Not if you do it in the right way. If you do it in the wrong way, you are
like a spammer who publishes "v=spf1 +all", and your domain will be
back-listed.
Roger