> On 7 Dec 2015, at 17:59, Brandon Long <bl...@google.com> wrote: >
> Is a DNSSEC failure like this really going to resolve itself in 3-7 days? > Are you even going to know there's an issue if the message is just sitting in > a queue instead of delivering or bouncing? Well, yes, because of course we’ll be sending delay notification messages to the sender. And they’re just as actionable as delivery failure notifications. And we’ll be monitoring our mail queues. > Right now, we have basically reject on ipv6 if (rdns no match and spf fail > and dkim fail). At some level, sure, we could treat each of those statements > as a tri-state, and temp fail if any was a temp failure. > > Also, the statement "it's impractical to set up spf or dkim" ... the sooner > you start on that, the quicker it will be done. Unauthed mail is already > treated pretty harshly by our spam filters, and I imagine it's only going to > get worse. > Agreed, but SPF is down to the domain owner, not the mail operator. And, as with my vanity domain (hosted by Google Apps), it isn’t possible for the mail operator to automate that unless they’re also providing the DNS service. They could require it, but at the risk of losing business. I guess that’s why Google don’t require it (unless that’s changed). -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
