One of my clients is a big fan of hosted services. They use a hosted wiki, a hosted WebDAV service, hosted email (with IMAP and POP access), and a hosted anti-spam service.It's the combination of the email and anti-spam services that's caused them some problems recently. Mail from some senders started bouncing. Looking at the headers revealed that someone was rejecting mail because of a "hard" SPF failure. It wasn't immediately clear who was rejecting it, however.
It turned out that the hosted email service had turned on aggressive SPF filtering, so that any message causing a hardfail would be rejected. The sender had specified "-all" in their SPF record, which means, "Hardfail any message which isn't being sent from our servers."
Lessons learned:
- If you use a hosted anti-spam service, don't implement SPF on your email system
- If you run a hosted anti-spam service or forward mail sor some other reason, consider supporting SRS, which munges the message sender
- If you publish SPF records, be cautious about using "-all" at this early stage
- If you filter using SPF records, rejecting simply because of an SPF hardfail is aggressive
- If you reject in whole or in part because of SPF, say why in the text of the error message. Include a link like this
No comments:
Post a Comment