Quoting Simon Hobson (li...@thehobsons.co.uk): > SPF breaks mailing lists and mail forwarders - and this is NOT (IMO) > fixable without introducing a wide open front gate for spammers to > ride through and completely bypass SPF.
No. it does not break mailing lists. It _does_ break other common types of forwarders unless they adopt SRS-wrapping. The reason it does not adversely affect mailing lists is that SPF validates only the envelope header: The receving MTA verifies that the delivering MTA's IP address is mentioned in the claimed sending domain's SPF RR (if there is one in that domain's DNS). Consider the envelope header of your own Dng posting, as received by linuxmafia.com's MTA when it received my subscription's copy. Here's the way your post arrived: From dng-boun...@lists.dyne.org Thu Aug 03 05: 8:39 2017 Return-path: <dng-boun...@lists.dyne.org> Envelope-to: r...@linuxmafia.com So, the envelope sender's domain was dyne.org, not thehobsons.co.uk, and my receiving MTA will perform a DNS check against the former. :r! dig -t txt dyne.org +short "google-site-verification=6FghqJroXIvBY8cutq6ouO0RC-a8qynFu6sJR3S-IbA" "v=spf1 mx ip4:178.62.188.7/32 ip4:188.226.191.63/32 ip4:213.127.180.241/32 -all" "google-site-verification=2XoWrMMTQ7jmgcB_76Y_TQSnWDGhR4e-y_KLqoKOK1Q" :r! dig lists.dyne.org +short 178.62.188.7 And, lo! The envelope sender does validate. You are probably confusing mailing lists, which provide new envelope headers during forwarding citing the forwarding domain, with other forwarders like /etc/alias entries and ~/.forward files. It's the _latter_ that SPF author Meng Wong invented that goofy Sender Rewriting System. Mailing lists, by contrast, don't have the problem he invented that kludge to fix. And, again, Simon, my mail domain linuxmafia.com has had an SPF hardfail directive in its DNS since around 2003, and the specifier is extremely narrow: :r! dig -t txt linuxmafia.com +short "v=spf1 a mx -all" That says 'If a mail's envelope header claims it's from linuxmafia.com, but the delivering MTA doesn't match either linuxmafia.com's DNS A record or its MX record, please consider it definitively a forgery.' I'm on _many_ mailing lists on many hosts. If my mailing list mail had a deliverability problem caused by hardfailing forgeries of my envelope header, I'd have figured that out, some time over hte past 14 years. It does not happen, because mailing lists work better than /etc/alias entries and ~/.forward files by design. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng