On Mon, 31 Aug 2020, Brandon Long wrote:
Hmm, DMARC is for the header from domain, however, I wonder if folks usually only do the spf lookup on the mail from argument, which may not be aligned and therefore doesn't hit that.
And then how would this also play with say the Sender: header override draft, would you expect to listen to the SPF for the header from domain saying "no mail" or allow override?
We can get awfully meta here. Imagine an executive who has her assistant send all her mail, so the address in the From: line never sends any mail, although you can send mail to her. So SPF -all would be right even though the address is OK.
Agreed with the general case of "I really mean it" though.
But this gets into "who cares what you think" territory (generic you, not Brandon you.)
I think the least wrong thing to validate the From header is to check for a null MX. I realize that a lot of bulk mail is sent with From addresses that don't work ("please do not reply to this message, because we do not care what you want"), but I expect they're unlikely to publish null MX.
Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
