And for my feedback..
We use -all for important domains, involved in ecommerce or confidential
data. And yes, sometimes we get a bounce, because someone forwarded
their email to another party, but it is rare.. (and forwarding should be
discouraged).
However, it is better than the risk of abuse. Not that a great fan or
proponent of SPF everywhere, or think it is the end all.
And we also do 'some' recognition of failed SPF when we do filtering,
but not so much. However, when it comes to big banks and big companies
where 'phishing' is common, we do use it to seed our Known Sender
Forgery system, but in those cases we actually treat -all and ~all quite
similar.
Companies of this size SHOULD know the dangers of phishing, and SHOULD
have accurate SPF records.. And yes, it COULD trigger a rejection notice
when coming through a forwarder, but should you forward something as
sensitive as banking information ;)
But it is only a 'small' part of the overall arsenal. Doesn't help much
when 'phish' attacks use a domain with a small typo difference.. eg all
the fake paypal/apple domains getting registered on a regular basis.
On 17-12-15 06:12 AM, Al Iverson wrote:
You're not wrong. I would only say say that perhaps this makes -all
harmless versus something one truly needs to worry about or avoid.
There's a lot of past, quite possibly bogus, guidance where we were
all pushed as ESP senders to implement -all, given the impression that
once upon a time it provided an indirect deliverability boost in some
places. Inertia is strong.
I still personally want -all for myself, because I think there are
possibly a lot of third or fourth tier smaller ISPs, and hobbyists,
and non-US ISPs, that perhaps have SPF support but aren't there with
DMARC yet.
Cheers,
Al Iverson
On Thu, Dec 14, 2017 at 5:28 PM, Brandon Long <bl...@google.com> wrote:
My point is that -all is policy, and most people ignore the policy portions
of SPF because it completely fails a lot of forwarding cases.
-all is asking receivers to reject mail that doesn't pass.
~all isn't policy.
In practice, very few receivers implement SPF policy (except -all by itself
for domains which don't send mail as a special case).
Maybe there are some smaller receivers who will pay attention to it, but
you're almost certainly going to get more false positives from them than
real positives. And you won't even notice.
If you want policy, use DMARC, it's what it's there for, and these things
are considered. As much as DMARC rightly gets pushback for the parts of
forwarding it fails at, it's definitely more useful for policy goals, and
has much wider adoption.
DKIM, for example, explicitly says that a DKIM fail means nothing. Which
doesn't prevent folks from rejecting messages with broken DKIM signatures,
probably the same folks who follow
-all.
Brandon
On Thu, Dec 14, 2017 at 12:17 PM Al Iverson <aiver...@wombatmail.com> wrote:
On Thu, Dec 14, 2017 at 2:14 PM, Brandon Long via mailop
<mailop@mailop.org> wrote:
On Thu, Dec 14, 2017 at 11:09 AM Jim Popovitch <jim...@gmail.com> wrote:
On Thu, Dec 14, 2017 at 11:33 AM, Vladimir Dubrovin via mailop
<mailop@mailop.org> wrote:
In fact, you should not use "-all" for your mail domain if you care
about deliverability.
FALSE! (Also, you should not randomly add CC recipients to the same
mailinglist that you are responding to)
Aside from a few HUGE providers, those with very large and disparate
networks/offices/topology....
-all means that the domain operator knows what they are doing, knows
what their network consists of and how email is routed within their
network. It further states that the -all publisher has committed to
staying abreast of what happens in their environment in order to
assure their IP space is properly routing email. It instills
confidence.
~all is just plain lazy, and is akin to saying that you don't have
confidence in your ability to own and control your own network; and
you want others to spend some level of time/money (in the form of CPU
cycles) analyzing email emitted from your network to determine it's
suitability for deliverability.
Or, it acknowledges the fact that the people you send mail to may
forward
that
mail, and trying to control that is silly.
Yeah, but a fail doesn't magically turn into a pass if you turn -all into
~all.
I don't think either is a universal use case, but I see good reasons
for both ways and it depends on what type of company and mail sender
you are. For me, I think -all makes a lot of sense for marketing
senders and folks really worried about phishing/spoofing. And I see
lots of -all mail get forwarded just fine, thanks to, for example, the
fine folks at Google who write the return path when forwarding. :)
Old school forwarding is still a pain even if you pull SPF out of the
equation, no?
Cheers,
Al
--
al iverson // wombatmail // miami
http://www.aliverson.com
http://www.spamresource.com
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
