Maybe it's just me, but I've never felt the desire to ignore
overenthusiastic SPF.
It's just you. I talk to people who run large mail systems, and
without exception they tell me that they do not reject on spf -all
other perhaps a plain -all which means someone sends no mail at all..
The false positive rate would just be too high.
Expressing a different point of view since the world of electronic
mail is not completely made of "large mail systems."
Its not just him.
Big difference on whether its a public ESP with forwarding, hosting
operations or a private (any size) domain who generally deal with
final destination operations only and are not in the business of
forwarding/hosting or they got out of the hosting business like so
many did.
From a SPF functional specs standpoint, if a domain has a -ALL
policy, it would be an operational mistake to presume or expect
receivers will not be rejecting their mail on SPF failures. A mistake
on their SPF policy holder part to believe that receivers will be
accepting failures when the specs (old and new) has it burned in to be
a rejectable condition. The older, original spec was very clear
about, the newer spec appropriately expounded on the potential risk
for false positives. Nonetheless, the SPF hard fail intention is to
REJECT, not to ACCEPT. Therefore a mistake to believe receivers will
always accept the failed SPF message.
It would also be a operational mistake to presume rejection will not
take place at SMTP immediately, before DATA and before DMARC is
processed at DATA. Do not presume that a DMARC receiver will delay
the rejection until the payload is transferred.
For our package, out of the box, our mostly private operators have
SMTP reject on hard fail policies. That is what the domain wanted,
that is what the spec indicated can happen, that is what they can get
-- an immediate dynamic rejection. In 14 years of using SPF, it has
never been a big support discussion. SRS came up here and there but I
don't think operators have been changing the default, but if they did,
no big deal. Just do it because SPF was not for their operation. There
have been operators who turned off SPF completely because they have
combined their mail frontends but overall, 14 years worth of stats
have shown a low to nil false positive, i.e. hardly ever any support
concerns.
To me, SPF has been highly successful with a high confidence payoff of
between 4% to 8% dynamic rejection rate over the years.
--
HLS
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
