On 2024-02-02 23:08:54 (+0800), Mark E. Jeftovic via mailop wrote:
We're having a bit of a theological debate internally on whether to
implement DMARC on our SRS forwarder domains.
The team here says that DMARC means there will never be alignment on
an SRS forwarder domain because the envelope-from /must /match the
mail-from.
What we're wondering is, which is better:
* having no DMARC record because there will never be alignment (but
there is SPF)
* having a minimal DMARC with p=none ?
This is just for SRS forwarder domains /only/
/
/
Thoughts?
I don't think there's any point in deploying SRS in the first place...
Rejecting purely on SPF -all is a misconfiguration. Nobody should be
doing that. At best, SRS is going to score a couple of points of
hamminess. If a message relies on those points to be seen as ham, there
is probably lower hanging fruit the sender needs to pick. This
shouldn't be a forwarder problem.
As others have mentioned: ARC is the "solution".
While SRS is purely a hack to work around misguided people
hard-enforcing SPF -all policies, ARC actually provides meaningful
authentication signals to downstream recipients (and forwarders).
(There is something to be said for hard-enforcing specifically "v=spf1
-all", but policies with anything between the v=spf1 and the -all are
overwhelmingly configuration errors, and should only count for scoring.)
Philip
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
