Hello all, Apologies in advance if this is off-topic for this list. I hope it doesn’t stir too much of a hornet nest :)
I run my own personal mail server, Linux, usual open source bits… One of my many layers/checks for inbound is SPF. Insofar as I reject at the “front door” (SMTP connection) if SPF fails (example is a domain using “-all”). I would imagine this is pretty vanilla so far compared to other folks. One of my kids got a part time job, and part of their onboarding HR stuff came to their address on my server. It was rejected. The sending domain has a “-all” and this message was from an outsourced HR “partner” that apparently was sending from a machine not in the SPF record anywhere… When they asked them to send to their @gmail.com - it came right through (but details did show SPF fail). I should also note the from domain has a DMARC policy of none. I’ve tested this a little bit, sending to my gmail / yahoo accounts. It seems like the behavior I see from some of the big guys (gmail and yahoo for this purpose) is: strict SPF (-all) + DMARC none == accept strict SPF (-all) + no DMARC record == accept strict SPF (-all) + DMARC reject == reject I managed to pretty much replicate this behavior on my server by having my SPF check just add the header (but not reject). I then let OpenDMARC do it’s thing (it’s thing being reject if need be). However this doesn’t sit well with me. I’ve put my policy back to dropping SPF hard fails at the front door. I think the case above that bothers me the most is the "strict SPF (-all) + no DMARC record == accept”. I was very surprised these got through. In fairness, the test messages I sent above pretty much all went to the providers “SPAM” folder. But I’m still bothered that they are accepting hard SPF fails. My understanding for the longest time is that an SPF policy of “-all” is a strong statement and should be honored as such. If the sending org can’t keep their servers and message sources straight and up to date - that’s their problem (well my problem too ultimately because I’m going to reject their mails from unauthorized sources). Taking this a step further, I feel like if the “big guys” accept these messages anyway, they have set a (bad) precedent and said in a manner of speaking “whats the point of having SPF, we will accept it anyway…”. I know the ultimate answer is “do what makes sense for me” - but I’d love some feedback from folks here on what they consider best practice etc. Also please help me with my understanding of SPF / DMARC interactions (especially with regard to what the big providers are doing) if I’m out of line. Thanks. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
