On 7/26/23 2:09 PM, Matija Nalis wrote:
Only way to make SPF never incorrectly fail/softwail is to use "+all",
but that kind of kills its point :-)
I question the veracity of that.
Is SPF failing to perform it's intended function if an unauthorized
server is blocked from sending email with an envelope from a domain with
an SPF record ending in "-all"?
I'll defend that SPF is doing exactly what it was designed to do.
I'll agree that some people may be surprised at the message being
blocked. But that's a failure of the users understanding of SPF, and
not a failure of SPF itself.
It may be a bad configuration / SPF record, but again, that's not a
failure of SPF to do what it was designed to do.
(actually, even with +all, some sites will fail it - especially
because of it, as +all is sign of either intentional sloppy spammer
or incompetent postmaster, both likely leading to spam coming from
that site).
That is a receiving site applying local policy to override what the
purported sending site has published. -- I don't care how many
receiving sites apply that mentality. It is still contrary to what the
purported sending site published.
Any SPF, no matter how correctly configured, will lead to false
positives in some cases (e.g. encoutering mailing list or .forward
not using VERP/SRS).
Is that /truly/ a false positive? Or did SPF function the way that it
was designed and configured? I believe that it did.
I recently helped someone set up SPF for a new domain. It was working
fine for a few weeks until they tried to use a 3rd party service to send
email on their behalf. I said that's new information and we need to
update SPF to authorize the 3rd party to send email on their behalf.
Did SPF fail? Nope. SPF did exactly what it was designed to do. The
user changed what they wanted and needed to update their SPF record
accordingly.
SPF didn't fail. The user failed to make a change ahead of time.
It is inherit in the SPF protocol (which is why
DMARC checks both DKIM and SPF, in order to reduce, but not
eliminate, false positives).
DMARC is applying local policy and deciding to ignore the information
that SPF successfully provided.
Providing unfavorable information is not a failure to provide information.
We are NOT living in ideal world where everybody implements every
existing standard.
Agreed.
But we can strive for the ideal world. By doing so we will end up
closer to the ideal world than where we started, even if we fall short
thereof.
Thus, even most correctly configured SPF will
sometimes softfail/fail, when it should not.
I question the veracity of "should not".
Grant. . . .
