On 01/24/2018 03:45 PM, Joseph Brennan wrote:
David Jones <djo...@ena.com> wrote:
SA could be the large force that helps improve the mail standards like
DMARC -- SPF + DKIM with a little extra on top.
DMARC is not a standard according to RFC 7489, "Status of This Memo".
It's just informational, for those who want to play the game. DMARC is
destroying forwarding and mailing lists, and I'm sorry to see the
elephants in the email room implementing it-- though Gmail still does
not always reject based on DMARC reject, as if they use that plus some
internal system to make the call.
The New York Times nytimes.com has a SPF record with too many DNS
lookups. Are you willing to block that? That one amazes me since SPF is
the simplest of these ventures to implement correctly, and since the
Times's frequent mailings of news updates evidently are not affected
enough by SPF fail for the Times to go fix it.
Joseph Brennan
Columbia University IT
The key point here is the bulk nytimes.com email that is system
generated, i.e. not humans with real mailboxes that could be
compromised, is from subdomains so this entry would be safe since they
do have good SPF records on subdomains:
whitelist_auth *@*.nytimes.com
In fact, I have put this in the 60_whitelist_auth.cf:
def_whitelist_auth *@*.nytimes.com
... so bulk emails from them should be scoring pretty low for everyone
running sa-update.
This should prove my main point of this thread.
SA actually allows for more than 10 DNS lookups so it's more forgiving
than the actual spec and would likely hit SPF_PASS still as long as the
emails came from a covered source.
I have a recent email from a human-looking email address @nytimes.com
that SA shows as SPF_PASS from a Google mail server.
--
David Jones
