[Greylist-users] Skipping greylisting based on SPF?

Ken Raeburn raeburn at raeburn.org
Sun Aug 29 10:06:09 PDT 2004


Steven Grimm <koreth-greylist at midwinter.com> writes:
> What do people think of the idea of skipping the greylist process for
> mail where the remote IP address is explicitly allowed by the sender
> domain's SPF record? In that case you can be reasonably well assured
> that the sender domain isn't a forgery, and it's likely that the sending
> host is a real mail server that would retry the message.

That would still let through spam from sites that publish their own
SPF records for their domain-name-of-the-week and use non-retrying
spamware.

However, I think I can suggest a useful refinement to your idea:

Bypass greylisting for any sending site matching the SPF record *if*
the domain (or, maybe, a parent domain?) is contained in a certain
list (file, mysql table, whatever), which initially would contain AOL
and Yahoo and other major ISPs.  Another way of looking at this is
whitelisting certain domains' sending addresses but via SPF records
instead of by storing the IP addresses in a database.  (In fact, that
might be a desirable feature for greylisting even if you're not using
SPF to reject mail.)  That would still prevent spam sites publishing
their own SPF records from getting through without retrying.

And you could log sites that greylisting eventually lets through that
also publish SPF records, to manually decide whether to add them to
the list.

Ken


More information about the Greylist-users mailing list