[Ilugc] [Need Tutorial] Learning about email SPF records
- From: benignbala@xxxxxxxxx (Balachandran Sivakumar)
- Date: Wed, 06 Jun 2012 23:37:20 +0530
Hi,
On Wednesday 06 June 2012 11:21 PM, Balasubramaniam Natarajan wrote:
The reason why I am asking for this is because we are often getting spoofed
emails and to avoid that we need to add SPF checking for a particular
domain before confirming the authenticity of that email.
Another good technology that we can use is DKIM. But,
unfortunately, it is not yet in wide use.
If it is hardfail in SPF people tell me it is good to do SPF check, however
when it is softfail why does not the authenticity of the received email get
maintained ?
I am not sure if I got your question correct. If you are asking why the
mails are not getting dropped for a Softfail, it is bescause the RFC
says the the receiving end SHOULD NOT reject the mails based on this.
So, the normal solution for this would be to let the user mark it as
spam. One possible reason that we need the soft fail mechanish is that
the DNS SPF entry has been changed and the system still has some mails
in an undelivered state.
To explain it better, let's say a domain had no SPF entries defined. And
some 100 emails have been sent from various servers of that domain. Now,
if the admin sets the SPF record to
mx -all
All mails from boxes other than the MX would get dropped by the
receiving mail server, and some of them might be legitimate. It might be
that all the new policy might not have been known to some people in the
organisation and hence they are using machines other than the MX. So, to
allow such emails to be delivered, the SPF is defined as follows,
mx ~ all
Now, the receiving entity will receive a soft fail, but SHOULD NOT
reject the email. This is the reason why we normally don't reject for
soft fails. Thanks
--
Thank you,
Balachandran Sivakumar
blog:
http://beningbala.wordpress.com
Arise, Awake and Stop Not Till the Goal is Reached
- Swami Vivekananda
Other related posts: