Very interesting.
For years, I ran postfix with a separate spf checking milter (policyd-spf-perl), that provided 100% blocking of spf-fail emails at the server level. (I also did RBL checking the same way.) This had several advantages:
- Server logs immediately show bad-actor email sources
- Fail2ban analysis could firewall those sources
- No user or admin needs to deal with such garbage
In updating to this new system, I have been curious what would be the impact of doing SPF/RBL checking in SpamAssassin.
Clearly, at the least quite a bit more traffic will make it through.
But I think even more important is this: SpamAssassin provides a single metric for scoring “spam” – the “score.”
AFAIK, most users (and admins TBH) think of “spam” as a question of “is this a valid email from a reputable source.” The decision is made on the content of the message.
When dealing with SPF failure, or extreme RBL failure, the physical source of the email is invalidated. It doesn’t matter what the content is.
I’m thinking it is risky (and costly in several ways) to fold invalid-source information into the SpamAssassin score.
But maybe that’s just me.