On 09/05/2012 15:16, Asymmetrics Webmaster wrote: > While is a bad idea to reject mail without SPF records, its a good idea to > reject email if the SPF record is present and incorrectly set or not > authorized for the sender (hardfail). > > SA works after the email gets in the queue, but the most efficient way, > whenever possible, is to reject it (not bounce it) before it gets in the > queue, as there is a chance the admin of the sender mail server gets a > notice sooner and take the necessary steps to identify compromised systems, > fix the problems etc. > > My SpamAssassin works at the MTA level through a milter. It doesn't queue the mail and check later - the mail is checked after SMTP DATA and the decision to reject the email is made there and then. So, no, SA does not work after the email gets in the queue, as you say. That is dependent on implementation. -- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd giles.coochey at netsecspec.co.uk Tel: +44 (0) 7983 877 438 Live Messenger: giles at coochey.net http://www.netsecspec.co.uk http://www.coochey.net