[Gllug] Configuring SPF to cope with secondary incoming mail servers

[john at sinodun.org.uk]

I've been doing a bit of research on how one can configure SPF for
incoming mail if you don't have control over your secondary MX servers
(typically because they belong to your ISP).

The problem arises because if an e-mail goes to your secondary server, it
will then attempt to pass it on to your primary server.  If an SPF record
exists for the sender's domain then your primary server will (almost
certainly) flag the e-mail as failing the SPF test because the secondary
is not listed in the sender's SPF record.

If OTOH you whitelist your secondary MX server, then spammers can
circumvent your SPF checks simply by always sending mail to your
secondary.

Doing some web research the only suggestion I've seen made is to put SPF
checking on your secondaries as well and then whitelist them at your
primary.  The problem with this approach is that you may well not have
that kind of contol of your secondary servers.

The solution which occurs to me is a kind of semi-whitelisting.  Your
primary server is told to trust your secondary to the extent that it
believes the last header which your secondary added (telling it where your
secondary received the e-mail from).  Unfortunately I can find no
reference to this approach being implemented anywhere.

Anyone solved this problem?  Have I missed another way of doing it?

TIA,
John

(It's not actually a problem for me because an SPF fail on my site simply
adds 1.1 to my SpamAssassin score, but another site I know of relies
absolutely on an SPF fail and it's causing grief.)

-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug