On 01/25/2018 09:34 AM, RW wrote:
On Wed, 24 Jan 2018 16:26:58 -0600
David Jones wrote:
On 01/24/2018 04:00 PM, Vincent Fox wrote:
However, look at all the major providers with messed up records and
neutral or soft fail. They should have the most resources to
accomplish this and the most incentives to list all their
netblocks and set to hard fail.
Google is soft fail.
Hotmail is soft fail.
And Yahoo has the strongest DMARC policy and the weakest SPF policy.
There is nothing wrong with stopping a soft fail if that is what they
want to do. In fact, most people should stop at soft fail unless
they really know what they are doing or they are a major brand with a
high risk spoofing.
There's more to it than that.
All of the above use DMARC and if you use -all in combination with
DMARC you are allowing the SPF result (which is only one component of
DMARC) and SPF's legacy policy mechanism to overide both the DMARC
result and the DMARC policy. The DMARC RFC has a warning about this.
My understanding based on real world results and the link below says
that for DMARC to pass you have to have SPF pass and envelope-from
domain alignment _OR_ DKIM pass and header From: domain alignment. If
you have both then it's even better.
https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
SPF_PASS can hit with either "~all" or "-all" so it doesn't make a
difference to DMARC pass.
--
David Jones
