Re: Penalty for no/bad SPF

Thu, 25 Jan 2018 10:48:48 -0800 

On 01/25/2018 12:27 PM, RW wrote:

On Thu, 25 Jan 2018 09:53:12 -0600
David Jones wrote:


On 01/25/2018 09:34 AM, RW wrote:



There is nothing wrong with stopping a soft fail if that is what
they want to do.  In fact, most people should stop at soft fail
unless they really know what they are doing or they are a major
brand with a high risk spoofing.


There's more to it than that.

All of the above use DMARC and if you use -all in combination with
DMARC you are allowing the SPF result (which is only one component
of DMARC) and SPF's legacy policy mechanism to overide both the
DMARC result and the DMARC policy. The DMARC RFC has a warning
about this.


My understanding based on real world results and the link below says
that for DMARC to pass you have to have SPF pass and envelope-from
domain alignment _OR_ DKIM pass and header From: domain alignment.
If you have both then it's even better.

https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/

SPF_PASS can hit with either "~all" or "-all" so it doesn't make a
difference to DMARC pass.


 From RFC  7489

.10.1.  Issues Specific to SPF

    ...

    Some receiver architectures might implement SPF in advance of any
    DMARC operations.  This means that a "-" prefix on a sender's SPF
    mechanism, such as "-all", could cause that rejection to go into
    effect early in handling, causing message rejection before any DMARC
    processing takes place.  Operators choosing to use "-all" should be
    aware of this.
Since very few sites can reject on SPF fails because SPF failures are so prevalent on legit email, I don't think this is happening in the real world.
This is my main point that some large force like Google or SA needs to take steps to make SPF failures worth something. This would start with Microsoft stop recommending "-all" to their Office 365 customers who don't know what they are doing. Google correctly recommends "~all" to their customers as a default. Then if you know what you are doing and have run DMARC reporting for several months to get your SPF record complete, then you switch to "-all". 

--
David Jones

Reply via email to