On Thu, Jun 8, 2023 at 4:35 PM Barry Leiba <barryle...@computer.org> wrote:
> > A sender using both SPF and DMARC will see a slight > > boost in validation rates due to increased resiliency when there are > > transient DNS failures and other problems. > > Do you mean "both SPF and DKIM", perhaps? > My bad. I responded while in the middle of something else. Proof that one should always proof read before hitting send. > > I don't see how that makes sense: if there's a transient DNS failure, > then neither the SPF nor the DKIM (nor the DMARC) records can be > retrieved. > One example is where there are a pool of DNS servers. One server in a pool might have an issue while others are fine. All the lookups do not necessarily hit the same server. You also don't factor in cached results for SPF as well as potentially different TTLs for those results. > > I also don't see how using an unreliable mechanism is a benefit. It > demonstrably hurts validation rates related to relayed/forwarded mail, > and can cause *false* validations in cases of overly-broad SPF > configurations (as when a large provider that also hosts many spammers > is used). > It's all in the mail flow and configurations. YMMV. I was dealing almost overwhelmingly with transactional emails in a well configured environment (from the day that DMARC was originally published we were at p=reject)). Yes, we had to fix some things beforehand. I strongly believe that the 2 biggest problems with setting up email authentication as a sender is that people don't put much thought into it and in many cases they deploy when their hair is on fire. Michael Hammer > > Barry >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
