Ever looked at your SPF records that ISPConfig creates for you? Remember that last critical question it asked when you created it?
Quote:
|
"Do the above entries contain all hosts allowed to send emails for this domain?"
|
When you answer 'yes' it sets the 'softfail' setting which isn't always a good thing. The softfail is "~all" which means that your domain can still be spoofed because most email servers allow mail to still go through with that error.
A complete fail is "-all" which means if it doesn't come from any of the assigned IP's or MX its fake and do not trust it.
I changed the default behaviour from ~all to -all since that would be the correct way to do it now. SPF is very stable and there is no real reason to allow a 'softfail' or 'tempfail' to happen still. That was the old way to do it while SPF was still in beta and it isn't anymore.
If you want to change the default way edit the file
Code:
/root/ispconfig/scripts/lib/classes/ispconfig_bind.lib.php
search for '~all' and change to '-all'. It's around line 258.
Code:
if($spfrecord['all_'] == 1){
$spf .= '-all';
} else {
$spf .= '?all';
}
That's it. Now if email is sent from outside the defined settings receiving email servers that check for SPF will discard and fail the email and prevent spoofing of your domains by spammers.
English | 
Deutsch
SPF and the difference between fail and soft fail
Linear Mode
Recent comments
12 hours 26 sec ago
14 hours 55 min ago
16 hours 9 min ago
17 hours 33 min ago
19 hours 11 min ago
20 hours 39 min ago
21 hours 53 min ago
1 day 13 hours ago
1 day 14 hours ago
1 day 18 hours ago