On Thursday, February 04, 2016 06:06:14 PM Reindl Harald wrote: > before Google ist telling somebody something they should better learn > the difference between "~" and "-" in a SPF record to make gmail.com at > least on envelope-level spoofing protected > > i high percentage of spam here would not only have been flagged but > outright rejected if they would do their own homework > > ;; ANSWER SECTION: > gmail.com. 300 IN TXT "v=spf1 > redirect=_spf.google.com" > > ;; ANSWER SECTION: > _spf.google.com. 300 IN TXT "v=spf1 > include:_netblocks.google.com include:_netblocks2.google.com > include:_netblocks3.google.com ~all"
SPF strict outright breaks mail forwarding, unless the forwarder rewrites the envelope sender. DKIM + DMARC is a much better compromise. It allows properly-signed mail forwarded intact to still pass DMARC checks. The only significant forwarders that break DMARC are mailing lists, because they tend to change headers (especially subject lines) and add content to the message body, both of which break the DKIM signatures. Ironically, they also rewrite the envelope sender, so they didn't notice how broken SPF by itself was. Mailing lists will need to learn to either not modify the message being forwarded, or else both rewrite the From: header and preferably remove any now-broken DKIM signatures. Or just refuse mail from DMARC-reject senders, which will eventually marginalize their use. Neither mechanism is perfect, but I think everyone can agree that email needs to adapt to remain useful in a world full of criminals. And even more importantly, it does seem that DMARC-reject is gaining traction among big mail receivers.
