On 01/24/2018 04:00 PM, Vincent Fox wrote:
so there's this argument that goes:
"well we won't really see the benefits until it's FULLY and RIGIDLY
implemented."
However, look at all the major providers with messed up records and
neutral or soft fail. They should have the most resources to
accomplish this and the most incentives to list all their netblocks and
set to hard fail.
Google is soft fail.
Hotmail is soft fail.
(etc etc ad nauseum)
I rest my case.
There is nothing wrong with stopping a soft fail if that is what they
want to do. In fact, most people should stop at soft fail unless they
really know what they are doing or they are a major brand with a high
risk spoofing.
People are blindly following Microsoft's DNS entries for Office 365
setup with "-all" when they don't know what they are doing. Microsoft
should be telling people to do "~all" in their setup instructions. Then
Microsoft should be checking their customer's SPF records for them and
showing them when it's broken in the the Admin Center.
1. We need SPF_FAIL hits to mean something and they don't.
2. We can use subdomains with SPF_PASS to safelist trusted senders that
are targets of spoofing.
After 14+ years we are still having this ridiculous argument about how
in 14 MORE years when we finally fully implement this flawed technology,
it'll do something useful. Meanwhile i see it as being more risk than
benefit.
With a big force like SA or Google, we could do this in a couple of
years slowly and easily then start doing the same for DKIM.
Frankly I'd rather these manhours be used on having correct A & PTR
records, which seems to be beyond the pale for some bulkmail vendors.
We could do the same thing for RDNS_NONE hits. Good idea.
--
David Jones