Print Page | Close Window

Safe to block SPF softfail?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5572
Printed Date: 09 May 2025 at 12:28pm


Topic: Safe to block SPF softfail?
Posted By: Guests
Subject: Safe to block SPF softfail?
Date Posted: 09 April 2006 at 12:14am

Just wondering.... if it's considered safe to

block incoming email when SPF test is "softfail"???

Any thoughts from folks who have tested in real world??

I personally, block "Fail" tests only, however want to be more

proactive.

Much appreciate your reply

Al


Replies:
Posted By: sgeorge
Date Posted: 09 April 2006 at 9:32pm

Hi Altras, in my own opinion, it's not safe to block softfails.  Mail admins who create their SPF rules can have a number of reasons for identifying their records to probably list valid sending addresses (with ~all) instead of definitely listing all valid sending addresses (with -all).

Softfail matches can occur for a number of reasons other that the message being from an inappropriate sender:

  • The mail admin may have recently created a SPF record, and may need to test it's accuracy before creating a more definitive SPF record
  • The potential list of systems that may legitimately send email from the domain may be too dynamic or complex for the admin to create an accurate list
  • Or maybe they received too many reports of their legitimate outgoing email being incorrectly identified with SPF hardfails, and their lazy approach to solving the problem is to loosen the strength of their SPF rules, without revising the list of addresses in the rules.

Ideally, you could identify a softfail with a lower confidence level that the message is from the alleged sender.  For now, I give all softfails the benefit of the doubt for my domain.  But that’s just my take.

Stephen

Posted By: lyndonje
Date Posted: 18 April 2006 at 6:46am
At present I block on softails.

I decided that if it caused me a big problem I would default back to block only hardfails.

So far I've had no complaints, and in my view, if admins are too lazy to publish a correct SPF, and to make their lives easier publish a ~all, then its the same as a admin being lazy and not closing relay etc. In which case, why bother having an SPF record at all if they arent going to administer it correclty and ultimately publish a -all.

I do understand that some people maybe in 'testing' phase, which I do understand, and would not class these admins as lazy. But if a legitimate user complained to their IT dept that they were blocked, which was caused by a soft tail, the IT guy would then go, 'Oh right, lets add your IP to our SPF record' - in effect sorting the problem and helping the senders IT dept complete their SPF record.

Another thing to think about, how many spams do you get that are reportedly from hotmail.com and the like? As hotmail have a ~all, me blocking softtails blocks more spam (from reported sources such as hotmail.com) than false positives. I can understand why hotmail may have a softtail, and in my opinion it is to save them the head ache of any people that may complain who also have a mail client to send mail out using their hotmail address. So by hotmail doing this they're passing the ownous onto us. If such a user then contacted us, it would be for us to say 'If you're using your hotmail address you should use the hotmail web site'. In other words, Hotmail are wanting us to make the stance rather than them, which probably suites them fine.


Print Page | Close Window