If I've diagnosed correctly, it looks like Yahoo's current "reject if sender is unauthenticated" message could be improved to give better DMARC enforcement feedback.
Today, Yahoo is explicitly erroring with "SPF failed" when it did not. From my testing, the actual rejections were happening because the DMARC "p=" was set to "none". I have at least one example (alpca.org) where SPF was valid (though messy): alpca.org descriptive text "v=spf1 +a +mx +ip4:207.58.131.169 +ip4:207.58.131.172 +ip4:207.58.131.168/29 +include:_spf.google.com ~all" ... and the _spf.google.com include expanded properly (ip4:209.85.128.0/17) to include the sending IP (209.85.208.41): https://easydmarc.com/tools/spf-lookup?domain=alpca.org include: _spf.google.com 3 NESTED LOOKUPS v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all include: _netblocks.google.com v=spf1 ip4:74.125.0.0/16 ip4:173.194.0.0/16 *ip4:209.85.128.0/17 <http://209.85.128.0/17>* ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all ... but Yahoo is still rejecting it as unauthenticated, saying "SPF alpca.org with ip 209.85.208.41 = FAILURE", which is incorrect: 550 5.7.9 This mail has been blocked because the sender is unauthenticated. Yahoo requires all senders to authenticate with either SPF or DKIM. Authentication results: DKIM = FAILURE - SPF alpca.org with ip 209.85.208.41 = FAILURE. See https://senders.yahooinc.com/smtp-error-codes/#authentication-failures for more information. If the issue is DMARC, it would be helpful to say so explicitly, do avoid "why is my SPF broken" mis-diagnostic rabbit trails. (Note that I'm deliberately setting aside the larger question of whether "p=none" should be considered "unauthenticated" when authentication is clearly happening.) -- Royce Williams Tech Solvency
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
