Dennis Carr writes: > The a:smtp.comcast.net is necessary so I can send email remotely > through my ISP and clear out successfully.
That does mean that anybody who can send through smtp.comcast.net can send as a mailbox from your domain and pass DMARC, most likely. I don't see a way to profitably exploit that offhand, though (unless you're a bank). > I'm a bit bothered by the '~all', however. I really don't want to do > '-all' as I'm concerned that anybody who posts to the list would cause > anybody on Yahoo or the MSFT owned domains (hotmail, live, etc.) to > bounce again. Executive summary: if you're sure you've got all your hosts covered by the SPF record, use -all as Jim P says. Explanation: If you've got the SPF right, you *do* know all of the relevant hosts, and you've got them covered. Anybody else is spoofing your host at the transport level (*not* the From header), so deny them. OTOH, your SPF has nothing to do with authentication of list posts from other domains. If your MTA and Mailman are configured correctly, both HELO and MAIL FROM defined by RFC 5321 will contain one of your domains (bast.chez-vrolet.net or chez-vrolet.net), and the last hop will be verified as coming from your domain using your SPF. This is regardless of the identity in From. If the recipient participates in DMARC, and the message is From you, it will also pass DMARC. (Effectively; the details are nitpicky.) If the recipient participates in the DMARC protocol, and you resend a post from a third party, the recipient will *also* check the SPF for the domain in the RFC 5322 From field, and it will fail. There is no change you can make to your SPF record that can change this; it's the remote domain's SPF record that matters. This is why DMARC specifies that a valid DKIM signature by the domain in From is also a pass. SPF is absolutely useless except for "direct to recipient" messages (strictly speaking, sender's MX to recipient's MX, it might bounce around a bit inside each domain). Of course such direct mail is a large fraction of mail on the Internet nowadays, so it's a very useful exception in general. Unfortunately, public discussion mailing lists can't take advantage of that exception. HTH, Steve ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
