On Thursday, April 17, 2014 6:53 PM, John Levine wrote: >> I don't see any scaling problem for the case of a domain used by a single >> entity that wants to authorize a few service providers to send email on >> its behalf. > Is that really a problem? I was under the impression that a sender either > adds the providers' IPs to their SPF record, or gives them a DKIM signing key.
wrong: 1. DKIM key sharing requires such a support, which is usually not there. 2. SPF policy check doesn't evaluate ur SPF policy at all, but ur ESP's. On Thursday, April 17, 2014 6:53 PM, John Sweet wrote: >> I am still curious what's wrong with this proposal. > How is this not covered by SPF "include:"? If your message has both MAILFROM > and RFC822 From: aligned on your domain, and the connecting IP is in the > range of the included domain, it's all good. it isn't covered by SPF's "include:". seems not many understand this problem, let me make an example: if i use yahoo email for my goodone.tk domain, yahoo will send my email with yahoo.com DKIM key and with yahoo.com SPF MailFrom [my yahoo account address]. and i can't do anything about it. yahoo doesn't support key-sharing, nor it will. so, my domain-email sent from yahoo mail isn't aligned. however, it is legitimate, it is DKIM-signed and it has proper SPF. out of my 15 small-business customers, 12 use exactly this usage scenario. usually google. and when i said it would be a problem, that was not the best way, trying to force them to send mail through their own server, they didn't want to hear it. and i imagine, it is a pretty common practice in the wild for small players. -- Vlatko Salaj aka goodone http://goodone.tk _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
