Dnia 23.04.2021 o godz. 08:27:31 Phil Stracchino pisze: > On 4/23/21 5:15 AM, Jaroslaw Rafa wrote: > > However, "thanks" to Google and other > > big e-mail providers who started to enforce that EVERY email send to them > > must pass SPF/DMARC check - as a method of "antispam protection" (which it > > isn't, because spammer can have a perfectly valid SPF/DMARC setup) - > > > Well, yes, they can, but they can't send mail to you claiming to be from > your bank's domain without it failing SPF and/or DMARC checks. So it IS > a perfectly valid anti-spam measure.
Anti-spoofing, not anti-spam. That's exactly what I wrote. SPF/DMARC does nothing to a typical spammer that does not pretend that he's someone else than he is, but just uses spam as a shitty method to advertise their product, whatever it is. And huge majority of the thousands of spams I have ever seen in my life fall into that category. They try to sell crappy SEO services, "shady" financial services for companies, they are selling e-mail addresses lists for another wannabe spammers etc. "Regular" products, like for example car accessories or fashion, are also advertised this way. I have even seen a spam advertising... antispam software! (it was probably not worth giving a try ;)). Of course, there are also straightforward frauds like "Nigerian" scheme or "Russian woman looking for husband". But all those people do not try to use someone else's email address, they usually use existing e-mail addresses created specifically for the purpose of spamming, because they want to get replies from their "targets". All these emails can - and usually do - perfectly pass SPF/DMARC check. So it is a huge mistake to treat SPF/DMARC as an anti-spam measure and a positive SPF/DMARC check as an indicator that the message is not spam. It has nothing to do with the message being spam/non-spam. SPF/DMARC protects from impersonation. Negative SPF/DMARC check is a sign that the message may be (but not necessarily actually is) not really coming from the sender it claims to come. Only that. Therefore - as I wrote - it should be used to protect email from selected domains. One important requirement should be that these domains send mail *only directly to their customers*. Usually this applies to automated, "transactional" email like signup confirmations, password change links, purchase notifications from e-shops, bank account statements etc. It should *not* be used for domains that have real, human e-mail users who can for example participate in mailing lists. This topic has been already discussed millions of times, but - as said - "big" providers are forcing it their own way. They are viewing the entire Internet as a world of e-commerce. From that point of view, if all websites are e-commerce, then the encryption on each website is necessary. If all e-mails are transactional (sent only as a result of e-commerce activites), then SPF/DMARC on any e-mail is necessary. But in reality the Internet is not as they imagine it to be. Not yet. But by forcing us to adopt the practices they "invented" they are more and more pushing towards that vision - Internet being a huge marketplace only, nothing else. :( -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
