On 19 Jan 2018, at 16:17 (-0500), Chip wrote:
Do you mean don't whitelist_auth *@example.com *unless* they have
published spf/dkim?
I can't speak to Dave's meaning (although I value it...) but in fact
whitelist_auth directives only have any effect if the domain has
published SPF or DKIM records (and in the latter case, signs mail.)
Having those directives is harmless if they don't support one of those
authentication mechanisms.
Certainly paypal and chase (your examples where you would use
whitelist_auth) have real human users. . .
Nope.
OK, so I don't know about those SPECIFIC domains but in general, major
consumer-facing brand holders are usually smart enough (or hire ESPs
smart enough...) to keep their humans and their non-human bulk senders
segregated by domain and relevant authentication mechanisms. For
example, a decade ago I had personally specific addresses directly under
the audiusa.com and vw.com domains but neither of those domains had ANY
bulk sender addresses except in subdomains and those subdomains shared
NO authentication mechanisms with the base domains that had human users.
PayPal and Chase may have stupider admins & governance today than VWoA
had a decade ago, but I doubt that.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
