Dnia 14.04.2023 o godz. 13:26:13 Cyril - ImprovMX via mailop pisze:
> I'm asking because we've been running ImprovMX for a few years now and the
> decision we took was that if you send us an email with a SPF that is
> failing ("-a"), we immediately refuse the email.
>
> For me, the reason was pretty straight forward ; you set your SPF in a way
> that you ask for it to fail, so it makes sense that we refuse it if ... it
> fails.
>
> But I just discovered that, among others, Google Workspace and Namecheap
> breaks the SPF when they *forward* an email!
It's a well-known fact since SPF appeared, that SPF breaks forwarding.
People say nowadays "forwarding breaks SPF", but I prefer to say it the
other way, because forwarding was there before SPF, so the people who
designed SPF should have taken forwarding into consideration when designing
it. They didn't, so they did their job wrong.
For me it's a reason to disregard "-all" in SPF records and treat it as
"~all" - which can mean eg. put the message to spam folder, or greylist it,
or just add some points to "spaminess" score. Or even ignore "-all"
completely and treat as "?all", if you receive a lot of forwarded messages.
There's one single exception, when "-all" is the *only* entry in SPF record
which means the domain never intends to send any mail - then you can safely
(and probably should) outright reject it.
However, if some address is explicitly listed as "-a" then I guess you can
reject it, because if someone explicitly specified that particular address
as incorrect for sending mail on their behalf, they are probably right (or
they made a huge mistake - but rejecting mail probably will help them
realize that mistake actually). I'm not sure if you had that case in mind.
Myself I don't check neither SPF, DKIM nor DMARC on incoming email. I
rely on blacklists (some RBLs, some created from fail2ban logs, some created
manually), greylisting and content analysis (mostly Spamassassin, but also
some hand-crafted filters) only. But I have a very small personal server,
so this solution might not scale...
--
Regards,
Jaroslaw Rafa
r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
