On 2017 Feb 12, 07:53, Dominic Raferd wrote: > > To go back to a point made by OP about SPF being 'good', it seems to me > that SPF is fundamentally and irretrievably flawed - and frankly should > be dropped.
Wow! Those are big words. > The fact that it works in 99.5% of situations just makes it > worse. Any email that is passed by a recipient through an intermediate > MTA (like all of mine, for instance) will have broken SPF when it > reaches its final destination MTA. Well, yes, SPF breaks old-style forwarding. This is well known and undisputed. Many old-style SMTP "customs" no longer apply, like open relays, etc. Old-style forwarding is nowadays also known as "spoofing the sender", and it is seriously frowned upon, as are open relays. I understand there are people who want to keep using old-style forwarding, and also there are some hold-outs still having open relays as a matter of principle. SPF is designed to afford brand protection at the domain level in the email realm. No more, no less. I don't want to get personal, but if you don't appreciate SPF, perhaps that's because your domains have never been massively spoofed in global, distributed, resilient spamming campaigns. I like SPF because it has saved my bacon more than once. > Secondly, IMO mailing lists should stop faking sender addresses and > instead should send either from the mailing list address or at least > from the mailing list domain e.g. > [email protected]. That way the emails > could be fully DMARC-compliant and avoid problems even for original > senders with p=reject policy (for instance, yahoo users). If I understand you correctly, you are bidding for mailing lists to change (and take ownership of) the Header-From in the messages distributed to the mailing list subscribers (because mailing lists already routinely use their own email address in the Return-Path in the SMTP envelope). I don't mind either way, but please be aware that veteran mailing list operators will scream bloody murder at such a suggestion. It's true such a suggestions would solve the DMARC interoperability problem with mailing lists, but also doing as this list does would solve the problem: i.e., not adding subject tags nor body footers, so that the original sender DKIM signature remains valid for the original, unchanged email address in the Header-From. The real solution would be to not use a DMARC policy of p=reject when posting to mailing lists, as the DMARC workgroup at IETF recommended. Alas, that horse is already out of the barn, as AOL and Yahoo are already using p=reject in their DMARC, and their users are certainly posting to mailing lists. So, the world is very much complicated. -- Josh Good
