On Wed, Jan 24, 2018 at 08:12:19AM -0600, David Jones wrote: > Google Chrome and other browsers have been slowly penalizing sites not > using encryption to the point that soon they will be alerting users of > plain HTTP sites. This along with letsencrypt.org has been moving the > HTTPS bar forward to improve web security and privacy. > > I think it's time for the SA community to help move the bar forward with > SPF. The problem is many sysadmins that don't understand SPF have been > implementing SPF incorrectly (thank you Microsoft Office 365) and > incompletely without understanding they are shooting themselves in the foot. > > I decided about a month ago to start sending feedback emails to senders > with SPF PERMERR and SPF FAIL in an attempt to help them help themselves > improve _their_ mail delivery. If you setup your SPF record like > Microsoft recommends with a "-all" and it's not completely covering all > legit sources of email, it's completely useless for any MTAs and mail > filters to take SPF_FAIL hits seriously. We should have rejected the > email per that sending domain's own wishes but we all know they didn't > intend for us to really block it so what good is it? > > What does everyone think about slowly increasing the score for SPF_NONE > and SPF_FAIL over time in the SA rulesets to force the awareness and > importance of proper SPF? This may need to have an official > announcement of what the plans/timelines would be so we could get the > word out. > it sounds like a plan, I am all for that. Giovanni
> These days with DMARC reporting, it's not impossible to figure out a > good SPF record like it was 10 years ago. The real problem with SMTP in > general is there is no reliable way to get feedback to mail admins > without sending confusing technical emails to regular users. > > -- > David Jones
signature.asc
Description: PGP signature