Dnia 14.04.2023 o godz. 13:26:13 Cyril - ImprovMX via mailop pisze: > I'm asking because we've been running ImprovMX for a few years now and the > decision we took was that if you send us an email with a SPF that is > failing ("-a"), we immediately refuse the email. > > For me, the reason was pretty straight forward ; you set your SPF in a way > that you ask for it to fail, so it makes sense that we refuse it if ... it > fails. > > But I just discovered that, among others, Google Workspace and Namecheap > breaks the SPF when they *forward* an email!
It's a well-known fact since SPF appeared, that SPF breaks forwarding. People say nowadays "forwarding breaks SPF", but I prefer to say it the other way, because forwarding was there before SPF, so the people who designed SPF should have taken forwarding into consideration when designing it. They didn't, so they did their job wrong. For me it's a reason to disregard "-all" in SPF records and treat it as "~all" - which can mean eg. put the message to spam folder, or greylist it, or just add some points to "spaminess" score. Or even ignore "-all" completely and treat as "?all", if you receive a lot of forwarded messages. There's one single exception, when "-all" is the *only* entry in SPF record which means the domain never intends to send any mail - then you can safely (and probably should) outright reject it. However, if some address is explicitly listed as "-a" then I guess you can reject it, because if someone explicitly specified that particular address as incorrect for sending mail on their behalf, they are probably right (or they made a huge mistake - but rejecting mail probably will help them realize that mistake actually). I'm not sure if you had that case in mind. Myself I don't check neither SPF, DKIM nor DMARC on incoming email. I rely on blacklists (some RBLs, some created from fail2ban logs, some created manually), greylisting and content analysis (mostly Spamassassin, but also some hand-crafted filters) only. But I have a very small personal server, so this solution might not scale... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop