SPF is designed for whitelisting, not blacklist.
Remember when "shields" appeared in mail clients, and how fast that feature disappeared? Far too many people clicking on phish that seemed "authentic". With the explosion of cheap domains and registrars, there's really no snowshoe Black Hat operation that can't comply. Compliance is 99.9999% in every phish I've investigated last year, the outlier I can recall was a simple typo in 1 server in the sender's network. SPF is a zombie legacy that someone should shoot in the head. Maybe then we could design something that is useful for what we all desire, which is properly authenticating senders. ________________________________ From: David Jones <djo...@ena.com> Sent: Wednesday, January 24, 2018 6:12:19 AM To: 'users@spamassassin.apache.org' Subject: Penalty for no/bad SPF Google Chrome and other browsers have been slowly penalizing sites not using encryption to the point that soon they will be alerting users of plain HTTP sites. This along with letsencrypt.org has been moving the HTTPS bar forward to improve web security and privacy. I think it's time for the SA community to help move the bar forward with SPF. The problem is many sysadmins that don't understand SPF have been implementing SPF incorrectly (thank you Microsoft Office 365) and incompletely without understanding they are shooting themselves in the foot. I decided about a month ago to start sending feedback emails to senders with SPF PERMERR and SPF FAIL in an attempt to help them help themselves improve _their_ mail delivery. If you setup your SPF record like Microsoft recommends with a "-all" and it's not completely covering all legit sources of email, it's completely useless for any MTAs and mail filters to take SPF_FAIL hits seriously. We should have rejected the email per that sending domain's own wishes but we all know they didn't intend for us to really block it so what good is it? What does everyone think about slowly increasing the score for SPF_NONE and SPF_FAIL over time in the SA rulesets to force the awareness and importance of proper SPF? This may need to have an official announcement of what the plans/timelines would be so we could get the word out. These days with DMARC reporting, it's not impossible to figure out a good SPF record like it was 10 years ago. The real problem with SMTP in general is there is no reliable way to get feedback to mail admins without sending confusing technical emails to regular users. -- David Jones
