On 24 Jan 2020, at 13:46, Gregory Heytings via mailop wrote:
There is one, he should at least change "-all" to "?all" (or perhaps
"~all").
Using "-all" as the default in a SPF record does not have any readily
apparent effect on "Inbox" deliverability of SPF-authenticated mail
to GMail relative to "~all" based on domains whose mail and SPF
records I've been handling for many years. Do you have any actual
evidence to the contrary?
Is the fact that Google themselves uses "~all" and not "-all" enough
"actual evidence"?
No. Your appeal to authority is an invalid argument because Google does
not operate any small to medium sized mail systems. They prove every day
that they make mail handling decisions that would not work for much
smaller sites and do not do things that smaller sites have success with.
I note that Brandon Long has responded with what amounts to an admission
that Google is large enough that they don't really know how exactly they
filter mail. I assure you, I could not get away with such lack of
knowlwdge in the smaller environments I deal with.
If not, is the fact that most other major email providers (Yahoo,
Outlook/Hotmail, iCloud, AOL, ...) do the same enough "actual
evidence"? If not, what kind of "actual evidence" are you expecting?
I *expect* none. I'd be giddily surprised to see measured delivery stats
worth the spinning rust/dirty sand they're stored on.
These mail providers have more brainpower than any other company,
I'll stipulate that in absolute terms, but it simply isn't true on a
per-user basis. I am immeasurably more familiar with the email behavior
of every user with a billmail.scconsult.com address than Google is with
any of their users, and that immeasurability is not significantly less
for scconsult.com mailboxes. I would expect that I even know
substantially more about the range of email behaviors for the users of
any of the dozens of mostly larger domains I help handle mail and mail
filtering for, despite them not being family members. I also have more
power to constrain their supported behavior, including powers that
Google does not dare exert over their freemail customers but is happy to
delegate to the admins of paying Google Apps customer domains. The same
is true of MS with their Hotmail & O365 users.
and would have more power than any other company to enforce a stricter
policy if this was actually a good thing in practice.
I'm happy to agree, VEHEMENTLY, that -all does not scale to the size of
any significant freemail provider domain. I would love to have evidence
that the problems that should happen at much smaller scales actually DO
occur to a meaningful degree for all domains generally. For over a
decade, I have had no convincing evidence of that. Reliance on
transparent forwarding is increasingly hard to find and its visibility
is effectively zero below a certain scale of correspondent diversity.
I also have no evidence that mail such as that of the OP which passes
SPF checking and is accepted for delivery may then be subjected to
something which sees -all in the SPF records and considers that
spamsign.
Therefore smaller providers that do not have that brainpower and power
should IMHO use a less strict policy, hence the "?all" I would advise.
?all is almost pointless. It merely states explicitly the default result
according to the spec. ~all is more useful IF one actually knows that
the overwhelming bulk of authentic mail from the domain will hit some
specified 'pass' mechanism, but it has the downside of being mostly
ignored by receivers. -all is more useful but it is only safe if you are
willing to tolerate the breakage of transparent forwarding, which was
never a major problem and today is barely detectable unless your users
have a particularly long-tenured set of correspondents. It is not as
useful as it should be, but it isn't nothing and for many domains
(pareticularly small ones) the cost is in fact zero over any useful time
period.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
