My main point is this: ESPs and other 3rd party SMTP services - should be aware that using an SPF record that validates against the provider's domain in the SMTP envelope-FROM (and not the actual client's domain) - AND ALSO - having only one DKIM record which uses the provider's domain in the DKIM record (and, again, not the actual client's domain) - so the combination of these 2 - is insufficient and substandard for validating the identity of the sender, especially in those cases where that service provider routinely allows spammers and scammer to abuse their service.
Oh, sure. If you're doing B2C or B2B mail which isn't going to run into the edge cases of individual or discussion list mail, it makes sense to publish a strict DMARC policy and add a DKIM signature which matches the header From: address. Leave the envelope address alone so the ESP can do the bounce handling.
So my question was simply asking if Amazon had some checks in place to prevent this scenario? ...since I saw some examples of them coming close to this fiasco.
They do. See the link in my message. I wouldn't say their abuse handling is fabulous, but considering their scale, it could be a lot worse.
The lowest tiers of AWS are very cheap, so it's not hard to sign up and do a few small scale experiments.
R's, John _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
