...... Original Message .......
On Sat, 26 Feb 2005 17:00:31 +0100 "Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
wrote:
Scott Kitterman wrote:
I have recently discovered that megapathdsl.com checks all mail
(inbound and outbound) for SPF. They then apply the Received-spf
header. They only reject inbound failures.
Foremost, a "Received-SPF:" header should not be added as a result of an
_outbound_ SPF check. The header name kind of implies that.
Yes. I've already been over it with them. They aren't changing so I
wanted to warn everyone.
Now one might assume that receivers would ignore Received-SPF headers
applied by previous MTAs. That is not always correct.
In the first place, only receiver _MUAs_, not MTAs, should care about the
"Received-SPF:" header. Then, a receiver MUA should look at only those
"Received-SPF:" headers of which it is absolutely sure that they have been
genuinely added by the receiving MTA. This is usually only the single
topmost header, _if_ the receiving MTA adds such a header at all.
There is no point in "blindly" looking for any "Received-SPF:" headers in
a received message, not knowing whether the receiving MTA actually added
those. This might be a sloppiness in SpamAssassin and similar tools (I am
not sure because I don't use SpamAssassin).
Agreed, but I'm just telling you what I've experienced. One was an SMTP
rejection from an internal (not on the border) MTA. The other was a case
of my messages getting filtered into an SPF Fail folder. I'm almost
certain it was a server side script, but probably more properly described
as MDA instead of MTA.
Scott Kitterman