On Thu, Jun 9, 2016 at 2:59 PM, Laura Atkins <la...@wordtothewise.com> wrote:
> > > On Jun 9, 2016, at 2:07 PM, Bernhard Schmidt <bernhard.schm...@lrz.de> > wrote: > > > > On 09.06.2016 18:20, Laura Atkins wrote: > >> > >>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt <bernhard.schm...@lrz.de> > wrote: > >>> > >>> Header-From and Envelope-From are aligned, the sending domain does not > >>> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is > >>> not rolled out for all domains yet. The hosts in question do have > proper > >>> FCrDNS, i.e. > >>> > >>> > http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html > >>> > >>> Anyone seeing the same? From outside it looks like Google has > >>> implemented the "all mail delivered over IPv6 has to be DKIM/SPF > >>> authenticated" previously done by Microsoft, but without the softfail. > >> > >> Yes. They have. They do not accept unauthenticated mail over v6. All > you need to do is publish a SPF record and you should be good to go. > > > > Adding an SPF record for some remote understaffed downstream university > > institute is not that easy if you don't know where their mail flows > > might come from. Forcing SPF on them might do more harm than good. > > I didn’t notice it was a university. That I know how problematic it is to > get control of a .edu domain and all the different campus servers and > individual servers run by faculty and staff and such. Had I know I probably > wouldn’t have recommended that. > > Yes it is hard to know the IPs of where all the emails are coming from but you can start by an SPF record with the IPs you know about and terminate it by ~all. the ~all just says, if it does not pass it may be still ok. You complete the SPF as you learn more about your infrastructure and what is not working. I don't think you need the gift of omniscience to get started with SPF.
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
