But if your ESP is where your email originates, then citing them in your SPF is appropriate.
If you're worried about the impact of DMARC then: a) Don't publish a DMARC record b) Publish a DMARC record with p=none or c) Publish any DMARC policy but use an SPF record like "v=spf1 ip4:0.0.0.0/0 ~all As for small domains being able to send DMARC compliant mail, (not trying to market Google's capability... but) that's easily accomplished with Gmail using your own DKIM key that's published on your own DNS entry for your personal/small business domain. -----Original Message----- From: dmarc [mailto:[email protected]] On Behalf Of Vlatko Salaj Sent: Thursday, April 17, 2014 1:33 PM To: [email protected] Subject: Re: [dmarc-ietf] alignment and parsing logic as optionals On Thursday, April 17, 2014 6:53 PM, John Levine wrote: >> I don't see any scaling problem for the case of a domain used by a single >> entity that wants to authorize a few service providers to send email on >> its behalf. > Is that really a problem? I was under the impression that a sender either > adds the providers' IPs to their SPF record, or gives them a DKIM signing key. wrong: 1. DKIM key sharing requires such a support, which is usually not there. 2. SPF policy check doesn't evaluate ur SPF policy at all, but ur ESP's. On Thursday, April 17, 2014 6:53 PM, John Sweet wrote: >> I am still curious what's wrong with this proposal. > How is this not covered by SPF "include:"? If your message has both MAILFROM > and RFC822 From: aligned on your domain, and the connecting IP is in the > range of the included domain, it's all good. it isn't covered by SPF's "include:". seems not many understand this problem, let me make an example: if i use yahoo email for my goodone.tk domain, yahoo will send my email with yahoo.com DKIM key and with yahoo.com SPF MailFrom [my yahoo account address]. and i can't do anything about it. yahoo doesn't support key-sharing, nor it will. so, my domain-email sent from yahoo mail isn't aligned. however, it is legitimate, it is DKIM-signed and it has proper SPF. out of my 15 small-business customers, 12 use exactly this usage scenario. usually google. and when i said it would be a problem, that was not the best way, trying to force them to send mail through their own server, they didn't want to hear it. and i imagine, it is a pretty common practice in the wild for small players. -- Vlatko Salaj aka goodone http://goodone.tk _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
