Re: [exim] exim spfquery config

Top Page

Reply to this message
Author: Sebastian Nielsen
Date:  
To: Mike Brudenell
CC: exim-users@exim.org
Subject: Re: [exim] exim spfquery config
> However do please be cautious about denying messages that only softfail.

I disagree with this. So many organizations that have had softfail for
several tens of years for no apparent reason. Gmail is no exception.

-----

C:\Users\Sebastian Nielsen>nslookup -type=TXT gmail.com
Server:  fw.sebbe.eu
Address:  192.168.4.1
Non-authoritative answer:
gmail.com       text =
        "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
gmail.com       text =
        "v=spf1 redirect=_spf.google.com"
C:\Users\Sebastian Nielsen>nslookup -type=TXT _spf.google.com
Server:  fw.sebbe.eu
Address:  192.168.4.1
Non-authoritative answer:
_spf.google.com text =
        "v=spf1 include:_netblocks.google.com
include:_netblocks2.google.com include:_netblocks3.google.com ~all"
C:\Users\Sebastian Nielsen>


-----

If you don't mind expending some disk storage, create a custom
application that will, upon seeing a softfail for a domain, append the
domain into a disk file along with year+month of first seen softfail,
IF NOT: the domain is already in file (and treat as softfail). IF
domain is already in file, IF the year+month is 2 months away or more,
treat as hardfail. Else treat as softfail.

Then every organization that touch your mailserver will get anywhere
from 1-2 months to ensure any mailserver they use is added to their
SPF, after that, you will forcefully hardfail their "softfail".

I Personally treat softfail as hardfail on my mailserver sebbe.eu. It
works very well and I haven't seen a "false positive" yet where a
email that is not obviosly spoofed, had been rejected.