Dňa 21. augusta 2023 14:51:14 UTC používateľ Al Iverson via mailop <mailop@mailop.org> napísal:
>The problem is that even if you have DMARC in place, it is VERY easy >to configure SPF checking so that SPF-failing mail is blocked at the >edge...you never get far enough to denote DKIM passing. Having >accidentally configured OpenDKIM and Python-PolicyD-SPF this way >myself in the past, I imagine others likely have to, and not >everybody's smart enough to notice when the edge cases are getting >weird. > >It also depends on whether or not you want to really rely on DMARC or >not. If so, ~all would stop SPF alone causing a bounce, but still >leave things up to DMARC as far as rejecting or not ... so DKIM would >be considered. Assuming it's all configured correctly on the receiving >side. So, ~all is the way to go given that if done in conjunction with >DMARC, you're still telling the world to reject faked mail, but in a >slightly more safe manner. IMO you are perfectly describe, what i tried to point some time ago. The sender cannot reliable satisfy both, the receivers doing standalone SPF (or SPF before DMARC) and receivers doing full DMARC. If one use -all, then those doing SPF rejects can reject valid mails with DMARC pass (+DKIM). If one use ~all, those not doing DMARC will not reject fake senders... And that all just because checking of SPF is as easy (lightweight). AFAIK, it is clearly mentioned in DMARC FAQ (don't do SPF action before DMARC discovery), but for some reason (unknown for me) that is missing in RFC. IMO, the DKIM + DMARC is more robust way to prove mail source, than SPF itself. To satisfy SPF one can simple use own MAIL FROM, really ease for attacker, more hard in legitime indirect mail flows. For that, i check standalone SPF at MAIL/RCPT stage only as part of scoring, and apply it only latter, and only if no DMARC record was discovered (or if DMARC policy is p=none). In other words i invest some resources to satisfy, what sender asked. But my MTA is too small to change anything... regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
