On Thu, 8 Oct 2015 13:59:31 +0100 RW wrote: > On Thu, 8 Oct 2015 13:13:57 +0100 > RW wrote: > > > On Tue, 6 Oct 2015 17:05:48 -0400 > > Kevin A. McGrail wrote: > > > > > On 10/6/2015 5:01 PM, Jered Floyd wrote: > > > > Ah; good eyes! > > > > > > > > That KAM_FACEBOOK rule is dangerous. > > > The behavior of forwarding content which effectively is the same > > > as a forgery is where the danger lies... If this is behavior that > > > users are performing, of course then there needs to be appropriate > > > reaction but overall, forwarding emails is going to cause issues > > > with a ton of domains and should be discouraged entirely. > > > > > > Assuming that Facebook applies DKIM consistently, I think it would > > be better to replace: > > > > (SPF_FAIL + DKIM_ADSP_ALL >=1) > > > > with > > > > DKIM_ADSP_ALL && ! (SPF_PASS && __ENV_AND_HDR_FROM_MATCH) > > I didn't think that through, there's no scenario where SPF helps, so > all that's needed is:
Actually, come to think of it, there is a scenario where the internal network incorporates a third-party forwarding server that doesn't rewrite the envelope-from, but does break DKIM, but that is pretty rare. Either version is an improvement over the current rule.
