Re: Newbie-esque SPF deployment questions

On Thu, Jun 02, 2005 at 12:33:06PM -0700, Jeremy Chadwick wrote:

> And for incoming mail (mail destined to user <at> parodius.com):
> 
> Internet host --> mx1.parodius.com:25 --> procmail (MTA) --> SpamAssassin + SPF --> Local mailbox
>                     {sendmail}
> 
> Important to note: sendmail is bound to mx1.parodius.com (64.62.145.229),
> which is an IP alias on the same physical machine as the A record you
> see for the actual domain itself (parodius.com).  All SMTP traffic
> (incoming and outgoing) is done over 64.62.145.229; and yes, I am 100%
> sure of this.  I just wanted to make that crystal clear.  

That does include SpamAssassin+SPF ?  You're sure that part
isn't handled by pentarou.parodius.com ?

> However, since doing this, his own Emails are getting marked with a +0.5
> in SpamAssassin score due to SPF lookups claiming SOFTFAIL:
> 
> >> pts  rule name              description
> >> ---- ---------------------- --------------------------------------------------
> >> 0.5  SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
> >>                             [SPF failed: Please see http://spf.pobox.com/why.html?sender=username%40parodius.com&ip=65.95.32.147&receiver=pentarou.parodius.com]

According to _your_ SpamAssassin, the host delivering this message
you _your_ hosts is 65.95.32.147

If the user is submitting the message, don't run it through SPF (or
make sure he's allowed, whitelisted, whatever).

If the SpamAssassin is called on the receiving end, the user is
delivering the message directly from home in stead of via your
infrastructure.

user -> your infra (incl. SA+SPF) -> remote user (incl. himself)
user -> your infra (no filter) -> remote user (himself, via SA+SPF)

Maybe you can find out which of these two possibilities is the case.

HTH
Alex