On Thu, 25 Jan 2018 09:53:12 -0600 David Jones wrote: > On 01/25/2018 09:34 AM, RW wrote:
> >> There is nothing wrong with stopping a soft fail if that is what > >> they want to do. In fact, most people should stop at soft fail > >> unless they really know what they are doing or they are a major > >> brand with a high risk spoofing. > > > > There's more to it than that. > > > > All of the above use DMARC and if you use -all in combination with > > DMARC you are allowing the SPF result (which is only one component > > of DMARC) and SPF's legacy policy mechanism to overide both the > > DMARC result and the DMARC policy. The DMARC RFC has a warning > > about this. > > My understanding based on real world results and the link below says > that for DMARC to pass you have to have SPF pass and envelope-from > domain alignment _OR_ DKIM pass and header From: domain alignment. > If you have both then it's even better. > > https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ > > SPF_PASS can hit with either "~all" or "-all" so it doesn't make a > difference to DMARC pass. From RFC 7489 .10.1. Issues Specific to SPF ... Some receiver architectures might implement SPF in advance of any DMARC operations. This means that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Operators choosing to use "-all" should be aware of this.