Quoting Andrew McGlashan via Dng (dng@lists.dyne.org): > They screw up greylisting, they screw up SPF and they screw up DMARC.
They didn't screw up SPF. If you as the domain stakeholder of an SMTP-sending domain deterministically know and can specify in SPF's flexible spec format for DNS TXT records where _all_ your domain's legitimate mail will originate, then you can use SPF to good effect to make forged sending IPs detectable and rejectable at the time of SMTP receipt. I happen to be able to thus specify. It's particularly simple in my domain's case, because the sole authorised origin is one IPv4 address. Therefore... :r! dig -t txt linuxmafia.com. @ns1.linuxmafia.com. +short "v=spf1 ip4:96.95.217.99 -all" ...Works for Me[tm]. (Please note that the '-all' means my DNS recommends _permfail_ of non-compliant mail.) Occasionally, I see claims in Linux forums, including in a discussion two years ago on this mailing list, that SPF breaks on mailing lists. This is simply not true. If it'd been true, I'd have noticed at some point over the last couple of decades. Domain owners for whom SPF does _not_ work include ones who insist on originating port 25 unauthenticated SMTP from arbitary unplanned IP addresses without that mail getting rejected as a suspected of being a forgery. (Good luck with that.) For them, fortunately, even if they take that rather impractical position, SPF still doesn't hurt them: They retain the option of not publishing an SPF record, or one declaring that their mail might originate from anywhere. Oddly enough, I _can_ identify a time when my SPF record did hurt my mail delivery. It was the afternoon of December 17, 2019, when because of an ISP shutdown I had to re-IP my server for the first time in 18 years. Everything appeared to go smoothly, in part because I'd shortened TTLs to 3600 many days in advance. Less than an hour after cutover, one of my outgoing mailing list postings was rejected by luv.asn.au on grounds that my own SMTP server supposedly violated my own SPF policy. Explanation: Someone there was for some reason retaining my old SPF RR in cache longer than was supposed to happen. Problem did not recur. ;-> _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng