<div dir="ltr"><div class="gmail_extra"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">The key difference between ?all and ~all is as follows:</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">~all means SPF soft-fail. If the check of the preceding statements about what is listed as valid does not pass, consider this a soft fail. (I'll come back to what that means in a second).</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">?all means SPF neutral. It means the owner of the domain is not declaring what the recipient should do if the sending host is not listed. It's neither pass nor fail. (so how is that even useful?)</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">The purpose of neutral and soft-fail comes back to the logic of setting up your mail with defense in layers.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">For example:</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">a) First check: IP check at the first connection, check against RBLs, and immediately just drop / disconnect known spammers, residential IP range, and so on. </div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">b) Next, check that the sender domain is valid for the IP it's coming from (SPF check). Start tallying score at this point. Valid SPF, you give positive 50 points. Neutral score, you give 0 points. Soft-fail, you give -10 points. Hard-fail, you give -100 points. Same with DKIM -- pass/fail ==> points added or subtracted from score.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">c) You next check for valid recipient (this is easy to cache, so is not resource intensive) - Invalid recipient, bounce it back.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">d) You perform your chosen heuristics on the message (e.g. run it through Spam Assassin, OCR the images to check the text strings for spammy content, distributed checksum checker, etc.) and do more scoring (+ or -)</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">e) Virus scan and phishing checks...</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">If you've scored the message according to those rules, positive points gets passed to the inbox, up to -10 negative points gets flagged (like prepending the subject with [SPAM?] ) or something, and more than -10 negative, and the message gets quarantined / dropped.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">With SPF Soft Fail, you can incorporate this into a scoring system with Spam Assassin, such that you can customize how much or how little a penalty to assign for soft-failing SPF, or DKIM. If everything else passes, you might pass the message as OK. </div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">The thing to remember as I've outlined in my example defense-in-depth strategy is that you use the least amount of CPU/resources to drop the most amount of spam. Each message that passes consumes additional resources to check it for rejection. Once you've assessed a message to get it all the way through the process, if it gets to the inbox, you're pretty sure it's a valid email. Otherwise, it gets dealt with accordingly.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,51)">Angelo</div><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 13, 2017 at 10:26 AM, Rick Troth <span dir="ltr"><<a href="mailto:rmt@casita.net" target="_blank">rmt@casita.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Hence this thread fork. I put "<font face="Courier New, Courier,
monospace">~all</font>" and I'm not sure if maybe I should use "<font face="Courier New, Courier, monospace">?all</font>" instead.
Whadaya think? <br>
<br>
More interesting (to me) is whether or not I have IP4 and IP6 and MX
values set correctly. <br></blockquote></div><br><br></div></div>