On Saturday, April 1, 2023 11:08:00 AM EDT Dotzero wrote: ... > If you feel this strongly, where is the record of your advocating for "MUST > NOT" for domains with end users implementing an SPF policy ending in > "-all"? That certainly breaks interoperability through mailing lists and > various forwarders if honored by validators. ...
Since I was arguing elsewhere in the thread about being the pedantic nerd who won't shut about stuff everyone else it sick of hearing about ... I don't believe this is accurate. SPF as defined by the IETF (experimentally in RFC 4408 and standards track in RFC 7208) focuses entirely on sender policy (thus the name, though I still prefer the original Sender Permitted From). Nowhere does it specify receiver actions (I personally thought this was a bad idea in 2007, but I see the wisdom of it now). DMARC made a different choice, so it has to live with the implications of that decision. Every mailing list I recall using has set it's own Mail From, so the SPF of the originator doesn't come into play. The issue with SPF and mailing lists only arises when using SPF results as an input to DMARC. That's a DMARC issue, not an SPF issue. Mis-configuration of SPF can (and certainly has) caused problems with forwarders. I think that RFC 7208 is reasonably clear about where in the architecture it is appropriate to check SPF results. While this was a significant issue early in SPF's deployment, I think it's reasonably well understood now. This is also not like DMARC. The mitigation for SPF issues due to receiver configured forwarding can and should be addressed by how receivers check SPF. There are no issues that can only be solved by changes the disturb long established practice (SRS is an option that mediators can use, but IMO that's a work-around for receivers with architectural issues). The only way to address similar issues with DMARC is with substantial, disruptive changes. Your "if honored by validators" is the key point architecturally. RFC 7208 is pretty clear about where in the architecture the honoring needs to be done and if that guidance is followed, there aren't significant issues for forwarders. I've published an SPF record with -all in my domains since 2004. I get rejection notifications once every several years, so it's not problem free, but it's not nearly the issue that people were worried about a decade and a half ago. While there are superficial similarities between the interoperability concerns for SPF and DMARC, I think the are entirely that, superficial. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc