On Thu, Dec 14, 2017 at 8:07 PM, Bill Cole <mailop-20160...@billmail.scconsult.com> wrote: > On 14 Dec 2017, at 14:01 (-0500), Jim Popovitch wrote: > >> Aside from a few HUGE providers, those with very large and disparate >> networks/offices/topology.... > > > SPF isn't related to the complexity of a network, but control of users using > a domain name, which is a very different thing.
Forget about users, think IoT devices. ~all makes it easy for a hacked device to send emails using your domain. >> -all means that the domain operator knows what they are doing, > > > No, it means they know what their users do. Not every network or domain is used as a mailbox provider. > Or that they THINK they do. > >> knows >> what their network consists of and how email is routed within their >> network. It further states that the -all publisher has committed to >> staying abreast of what happens in their environment in order to >> assure their IP space is properly routing email. It instills >> confidence. > > > There continue to be sites that do traditional ~/.forward-style transparent > SMTP forwarding, which preserves the envelope sender as received. There > continue to be websites which give users the ability to send content to > others which use the address of the user initiating the action as the > envelope sender, so that bounces go to the person who might care. > > Last I checked, it was frowned upon for sysadmins to execute users who > obliviously violate a SPF '-all' policy by mailing a 'wrong' person or using > a 'wrong' 3rd-party system. > > >> ~all is just plain lazy, and is akin to saying that you don't have >> confidence in your ability to own and control your own network; > > > You keep using that word. I do not think it means what you think it means. Ahh, a Princess Bride fan... > If you consider users to be a subordinate part of a "network" then no > "network" is controllable or should be. No, that's not what I'm saying. Forget about users, think spambot infested devices on your network (or on someone else's network using your domain). >> and >> you want others to spend some level of time/money (in the form of CPU >> cycles) analyzing email emitted from your network to determine it's >> suitability for deliverability. > > > There you go saying "your network" again, yet fundamentally '~all' says 'my > users might cause mail using my domain name to come from networks OTHER THAN > mine.' Which is true of almost any significant set of users. Mail actually > from the domain owner's network properly will be authenticated by what comes > BEFORE the '~all' default. Of course, but we're not really discussing what comes before the ~all or-all, rather what comes after the properly identified network resources listed in the SPF RR. -Jim P. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop