Well, no. One should never reject on a simple SPF fail, we have DMARC for that. One should only reject (in the context of SPF/DKIM/DMARC) on final DMARC failure with a policy p=reject. That is what the standards are there for. The new addition ARC will also help you in the case of forwards, you can accept letters that passed DMARC initially before the forward.
If it's spam you're worried about, filter it out using other means. Many vendors do reject letters when there's neither SPF or DKIM, however.> What would be the best behavior here? Should we allow all emails, even those who fail SPF? Should we only block when DMARC is set and fails?
The best behavior is to verify SPF, DKIM, DMARC and ARC, all four. Then make a standard-based decision based on those, if DMARC still doesn't pass then one rejects.
SPF fail shouldn't be the thing that decides the fate of a letter, it's not used like that or should be used for that.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
