On 21.08.23 10:26, Laura Atkins via mailop wrote: > This recommendation doesn’t make sense. For companies that actually > reject due to SPF, they’re most likely going to do it after MAIL FROM: > At this point in the transaction, they don’t know what the DMARC domain > is. They can look up DMARC for the domain in the MAIL FROM: but that may > or may not be connected to the actual domain in the 5322.from. > > I mean, I think it’s a bad idea to reject for SPF failures, but for > folks who do I can’t imagine they want to see the full content of the > message before just throwing it away. That seems wasteful. > > laura >
Exactly. Also, I don't think that all the scenario where a legitimate mails gets a SPF failure (due to forward/relay for instance) a DKIM will still be good. If they don't care about breaking SPF, I guess they don't care about breaking DKIM either. Avoiding to break SPF isn't rocket science. We reject on SPF hard failure (-all) after RCPT TO, in order to still let our users welcome list repeat offenders. For this, the sender host (or ip) must have been provided. This works great with mailing-lists and forwards for instance. By the way, hotmail.com still hasn't fixed the issue :-s _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
