Hi!
What is the best approach when you receive an email that doesn't respect
the SPF (with a hard fail)?
I'm asking because we've been running ImprovMX for a few years now and the
decision we took was that if you send us an email with a SPF that is
failing ("-a"), we immediately refuse the email.
For me, the reason was pretty straight forward ; you set your SPF in a way
that you ask for it to fail, so it makes sense that we refuse it if ... it
fails.
But I just discovered that, among others, Google Workspace and Namecheap
breaks the SPF when they *forward* an email!
If you set up a forwarding for your email, say "supp...@domain.com" that
redirects to al...@destination.com and send an email from b...@example.com
to supp...@domain.com, the server @destination.com will see an email coming
from b...@example.com, but with the IPs of Google (or Namecheap).
Since b...@example.com hasn't put the Google (or Namecheap) IPs in their SPF
because they don't use it, their email will break SPF at @destination.com
domain.
So, since Google Workspace and Namecheap are doing this, it means that
others are certainly also doing this.
What would be the best behavior here? Should we rely on both the SPF AND
DKIM to refuse an email (compared to just the SPF), even if no DMARC are
set?
Should we allow all emails, even those who fail SPF?
Should we only block when DMARC is set and fails?
What is the best approach here?
I personally don't want to accept emails that fails SPF with no further
checks, otherwise it will be hell on the amount of emails we'll handle.
Thanks for your help here!
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
