On Tue, 17 Apr 2012 17:48:47 -0400, "Elazar Broad" said: > At least configure your SPF record policy to hard fail, and consider Domain > Keys and/or DMARC. Given where his MX's point, and the fact that the SPF includes a :include that points at another domain, simply setting it to "hard fail" without breaking his e-mail may or may not be easy to do. Similarly, if he sets it to hard fail, he probably can't turn on DKIM without the cooperation of the domain listed in the :include (A *lot* of sites that do SPF only code 'soft fail' so that other tools like spamassassin can add a few points if the mail comes from an "unexpected" place, but don't want to have hard-fail because that can break users. For instance, we don't publish a hard-fail because that results in a support headache if one of our professors goes to a conference and sends e-mail from his hotel room - and the hotel network hijacks the connection. *loads* of fun to sort that out when the professor calls our help desk from Seattle or Tokyo. And of course, he's a chemical engineering professor, so has zero network debugging tools on the laptop...)
Attachment:
pgp6JmUso8Dx9.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/