spf-discuss
[Top] [All Lists]

Re: [spf-discuss] should SPF checks be before or after RBL

2006-10-03 06:45:05
On Tue, 3 Oct 2006, Scott Kitterman wrote:

On Tuesday 03 October 2006 08:24, Ramprasad wrote:
Hi,
  I am using postfix with rbls ( spamhaus , dsbl etc )
I have added SPF checks using policyd-spf-perl

Now which is the best place to do the spf checks. Should it be before
RBL checks or after. How do you folks configure them ?

The best practice as it's been discussed here is to wait until after RCPT TO 
and receipient validation to do SPF checks.  Since local recipient validation 
can be done without any DNS lookups it tends to be less expensive than SPF 
checks.  Typically recipient validition weeds out a LOT of mail and so the 
burden of doing the SPF checks is substantially reduced if you wait.

OTOH, I need an SPF PASS result (real or guessed) before I can safely
auto-blacklist domains that send spam to random recipients.  Furthermore,
if you wait until RCPT, then you have to wait for *ALL* the RCPTs - since
the spammer isn't going to stop at just 1 random recipient.  You have
to individually REJECT each RCPT TO.  So I find it better to do SPF
at MAIL FROM and reject stuff before RCPT TO whenever possible.  YMMV.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com