On 3/12/2024 6:42 PM, John Levine wrote:
It appears that Scott Kitterman<skl...@kitterman.com> said:
Or, as RFC 4408 and RFC 7208 warn against, ESPs don't allow customers to send
mail for anything other than their own domains. ESP customers, don't use ESPs
that do this.
It's not just ESPs. There's a widely reported bug that lets anyone
whose mail is hosted at Microsoft send SPF-compliant mail pretending
to be any other MS customer.
Purportedly, they've tightened the connector requirements (SRS for
anything not meeting them) that was directly related to last year's SPF
upgrade debacle (which a popular package carrier's BIMI implementation
was a victim of), but there are still other arguably more egregious
methods allowed via said vendor that enable unauthenticated mail to
become suddenly authenticated with DKIM because... "it's a feature".
I don't know how we can account for willful negligence.
- Mark Alley
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
