[colug-432] SPF and other stuff for personal domains

Angelo McComis angelo at mccomis.com
Mon Feb 13 13:42:47 EST 2017 

​The key difference between ?all and ~all is as follows:

~all means SPF soft-fail.  If the check of the preceding statements about
what is listed as valid does not pass, consider this a soft fail. (I'll
come back to what that means in a second).

?all means SPF neutral. It means the owner of the domain is not declaring
what the recipient should do if the sending host is not listed. ​It's
neither pass nor fail.  (so how is that even useful?)

The purpose of neutral and soft-fail comes back to the logic of setting up
your mail with defense in layers.

For example:

a) First check:  IP check at the first connection, check against RBLs, and
immediately just drop / disconnect known spammers, residential IP range,
and so on.
b) Next, check that the sender domain is valid for the IP it's coming from
(SPF check). Start tallying score at this point.   Valid SPF, you give
positive 50 points. Neutral score, you give 0 points. Soft-fail, you give
-10 points.  Hard-fail, you give -100 points.    Same with DKIM --
pass/fail ==> points added or subtracted from score.
c) You next check for valid recipient (this is easy to cache, so is not
resource intensive) - Invalid recipient, bounce it back.
d) You perform your chosen heuristics on the message (e.g. run it through
Spam Assassin, OCR the images to check the text strings for spammy content,
distributed checksum checker, etc.) and do more scoring (+ or -)
e) Virus scan and phishing checks...

If you've scored the message according to those rules, positive points gets
passed to the inbox, up to -10 negative points gets flagged (like
prepending the subject with [SPAM?] ) or something, and more than -10
negative, and the message gets quarantined / dropped.

With SPF Soft Fail, you can incorporate this into a scoring system with
Spam Assassin, such that you can customize how much or how little a penalty
to assign for soft-failing SPF, or DKIM.  If everything else passes, you
might pass the message as OK.

The thing to remember as I've outlined in my example defense-in-depth
strategy is that you use the least amount of CPU/resources to drop the most
amount of spam. Each message that passes consumes additional resources to
check it for rejection. Once you've assessed a message to get it all the
way through the process, if it gets to the inbox, you're pretty sure it's a
valid email.  Otherwise, it gets dealt with accordingly.


Angelo



On Mon, Feb 13, 2017 at 10:26 AM, Rick Troth <rmt at casita.net> wrote:

>
> Hence this thread fork. I put "~all" and I'm not sure if maybe I should
> use "?all" instead. Whadaya think?
>
> More interesting (to me) is whether or not I have IP4 and IP6 and MX
> values set correctly.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20170213/d328094b/attachment.html

More information about the colug-432 mailing list