Google Chrome and other browsers have been slowly penalizing sites not
using encryption to the point that soon they will be alerting users of
plain HTTP sites. This along with letsencrypt.org has been moving the
HTTPS bar forward to improve web security and privacy.
I think it's time for the SA community to help move the bar forward with
SPF. The problem is many sysadmins that don't understand SPF have been
implementing SPF incorrectly (thank you Microsoft Office 365) and
incompletely without understanding they are shooting themselves in the foot.
I decided about a month ago to start sending feedback emails to senders
with SPF PERMERR and SPF FAIL in an attempt to help them help themselves
improve _their_ mail delivery. If you setup your SPF record like
Microsoft recommends with a "-all" and it's not completely covering all
legit sources of email, it's completely useless for any MTAs and mail
filters to take SPF_FAIL hits seriously. We should have rejected the
email per that sending domain's own wishes but we all know they didn't
intend for us to really block it so what good is it?
What does everyone think about slowly increasing the score for SPF_NONE
and SPF_FAIL over time in the SA rulesets to force the awareness and
importance of proper SPF? This may need to have an official
announcement of what the plans/timelines would be so we could get the
word out.
These days with DMARC reporting, it's not impossible to figure out a
good SPF record like it was 10 years ago. The real problem with SMTP in
general is there is no reliable way to get feedback to mail admins
without sending confusing technical emails to regular users.
--
David Jones
- Penalty for no/bad SPF David Jones
-
