On Fri, 11 Oct 2024, Scott Q. wrote:
if you don't mind me asking, when you say:
which makes it easy for any of their customers to SPF spoof any
other customer.
you mean the header or the envelope from ? Afaik, the envelope from is
(should be!) tied to the authenticated user
Indeed it should be. Often it is. But not always.
R's,
John
On Friday, 11/10/2024 at 00:21 John Levine via mailop wrote:
It appears that Dave Crocker via mailop said:
On 10/9/2024 11:57 PM, Matus UHLAR - fantomas via mailop wrote:
checking SPF is a fallback mechanism.
SPF is a fairly complex, fragile tool and it makes DMARC.. It's
inclusion in DMARC is always justified with language such as you
used,
but I've never seen any data offered about just how useful it is.
People at large mail systems tell me SPF is not very useful. That
is particularly true these days when so much mail is sent from large
shared systems which makes it easy for any of their customers to
SPF spoof any other customer.
If SPF support were eliminated from DMARC, what actual change in
DMARC
utility would this have?
The most likely effect is that people who have a checklist for
their mail system that includes "implement DMARC" which they
satisfied by publishing an SPF record and nothing else will be
sad. But I can't feel very sorry for them.
R's,
John
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
