On 2024-02-03 09:01:40 (+0800), Bill Cole via mailop wrote:
On 2024-02-02 at 10:26:55 UTC-0500 (Fri, 2 Feb 2024 16:26:55 +0100)
Kai Bojens via mailop <k...@artfiles.de>
is rumored to have said:
Am 02.02.24 um 16:08 schrieb Mark E. Jeftovic via mailop:
We're having a bit of a theological debate internally on whether to
implement DMARC on our SRS forwarder domains.
Skip SRS and implement ARC for forwarded e-mails. This should solve
all these problems.
Telling the next hops that they need to parse ARC and trust your
system instead of just checking SPF is a choice that one can make,
yes.
Without SRS, SPF will fail on forwarded mail. It is going to be rare
for anyone other than the behemoths to support ARC in any meaningful
way for the near term (0-5 years) and you will always (effectively...
) have sites rejecting on SPF failures out of misguided "principle."
As a forwarder, downstreams rejecting based on SPF -all really doesn't
bother me. In most configurations, the bounce from the downstream's
reject message will tell the sender how to contact the recipient without
going through the forwarder. E.g.:
<recipi...@example.org>: host misconfigured.example.org[2001:db8::19:1]
said: 550
5.7.23 <recipi...@example.org>: Recipient address rejected: Message
rejected
due to: SPF fail - not authorized. Please see
http://www.openspf.net/Why?s=mfrom;id=sen...@example.net;ip=2610:1c1:1:606c::19:2;r=example.org
(in reply to RCPT TO command)
Our documentation specifically tells our downstreams to allowlist our
forwarder:
https://docs.freebsd.org/en/articles/committers-guide/#conventions-everyone
Occasionally someone downstream complains that we should be implementing
SRS. We tell them to allowlist us instead, and point out that we do
ARC.
Philip
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop