Pat forwarded me a suggestion from a customer today and I
figured I’d discuss it here, since this is a common misconception about SPF…
> I would like to see SPF-enhanced white listing. If the e-mail
> passes the SPF check, white list the e-mail message and
> continue delivery. If the e-mail message fails the SPF check,
> pass it through the normal SPAM checks and process the e-mail
> message like any other e-mail received.
Many spammers publish SPF records for their domains too, and they send their spam from the mail servers listed in their SPF. By whitelisting all mail that passes SPF checks, we would be allowing a lot of spam in. I just did a search of my spam folder and 91 spam emails passed the SPF checks, meaning the spam domain has published SPF records and the spam email was sent from that domain’s legitimate servers.
SPF is not designed for whitelisting.
Rather, SPF is designed to prevent phishing and other forgeries. If an email is sent from a server that is not listed in a domain’s SPF record, we can assume it to be a forgery and either tag it as spam or discard it. This is really the only safe way to use SPF, and this is how we use it currently.
Here are the SPF scores we are using:
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 8.001
score SPF_SOFTFAIL 4.001
score SPF_HELO_FAIL 5.001
score SPF_HELO_SOFTFAIL 4.001
We tag messages as spam at a score of 6.000 or higher. Fyi, the -0.001 scores exist only so that we can see in the message headers if email passed the SPF checks.