On 12 February 2017 at 12:54, Josh Good <[email protected]> wrote: > On 2017 Feb 12, 07:53, Dominic Raferd wrote: >> >> To go back to a point made by OP about SPF being 'good', it seems to me >> that SPF is fundamentally and irretrievably flawed - and frankly should >> be dropped. > > Wow! Those are big words. > >> The fact that it works in 99.5% of situations just makes it >> worse. Any email that is passed by a recipient through an intermediate >> MTA (like all of mine, for instance) will have broken SPF when it >> reaches its final destination MTA. > > Well, yes, SPF breaks old-style forwarding. This is well known and > undisputed. > > Many old-style SMTP "customs" no longer apply, like open relays, etc. > > Old-style forwarding is nowadays also known as "spoofing the sender", > and it is seriously frowned upon, as are open relays. > > I understand there are people who want to keep using old-style > forwarding, and also there are some hold-outs still having open relays > as a matter of principle.
I don't run an open relay and I am not sure what you mean about 'old-style forwarding'? I am relaying so that I can deliver mails addressed to domain-name mail addresses into my Gmail, I don't know of any other way to do this (other than to buy G-Suite of course). > SPF is designed to afford brand protection at the domain level in the > email realm. No more, no less. > > I don't want to get personal, but if you don't appreciate SPF, perhaps > that's because your domains have never been massively spoofed in global, > distributed, resilient spamming campaigns. I like SPF because it has > saved my bacon more than once. For all my 'working' domains (not the one I use here) I have DMARC p=reject, I do have SPF policy as well as DKIM, I just don't see what SPF adds to the others. If I (or others using my domains) had to send some emails that could not use our DKIM then it would have a purpose, I admit. > >> Secondly, IMO mailing lists should stop faking sender addresses and >> instead should send either from the mailing list address or at least >> from the mailing list domain e.g. >> [email protected]. That way the emails >> could be fully DMARC-compliant and avoid problems even for original >> senders with p=reject policy (for instance, yahoo users). > > If I understand you correctly, you are bidding for mailing lists to change > (and take ownership of) the Header-From in the messages distributed to > the mailing list subscribers (because mailing lists already routinely > use their own email address in the Return-Path in the SMTP envelope). I > don't mind either way, but please be aware that veteran mailing list > operators will scream bloody murder at such a suggestion. It's true such > a suggestions would solve the DMARC interoperability problem with mailing > lists, but also doing as this list does would solve the problem: i.e., > not adding subject tags nor body footers, so that the original sender > DKIM signature remains valid for the original, unchanged email address > in the Header-From. > I wasn't aware that that worked, but now I look more closely at my DMARC records on dmarcian.com it seems that it does - at least in most cases: DMARC reports SPF as unaligned but DKIM as pass/aligned, so DMARC passes. Great. Maybe the few others showing SPF domain postfix.org, but which show no DKIM, really are spoofs.
