Author: Ian Eiloart Date: To: David Saez Padros CC: exim-users, Doug Jolley, David Woodhouse Subject: Re: [exim] Compile time problems
--On 3 April 2006 13:59:16 +0200 David Saez Padros <david@???> wrote:
> Hi !!
>
>> But, it is potentially useful for whitelisting. If there are domains
>> that you trust, then SPF can be used to determine whether the email is
>> coming from their approved IP addresses. If they are, then you may be
>> able to accept the email without spam filtering. For example, I'd be
>> happy to accept mail without spam filtering from educational domains
>> (*.ac.uk, *.edu) when I'm sure that the email is coming from an
>> institutional server.
>
> spf pass is not a guarantee that any mail comming from 'pass' ip's
> is not spam, in fact mail comming from that ip's could also be sent
> by user applications that can forge other's users domains and email
> addresses (like weak cgi applications).
True, but I know what kind of organisation is behind a .ac.uk domain
because the TLD is tightly controlled. I know that they'll take spam
complaints seriously, and I have a business reason for ensuring that we can
exchange email with them.
If I did have problems from a specific domain, I'd remove it from my
whitelist.
Here's the useful thing about SPF:
You can't whitelist a mail domain because anyone can use it. However, if
you could tie down the legitimate servers for a domain that you trust, then
you could whitelist those servers (at least for mail from that domain).
That's what SPF lets you do.
Of course, not all email from that domain will come from those servers, but
adopting SPF based whitelists gives people a reason to use the listed
servers.