On Mon, 2017-05-15 at 12:34 -0400, D'Arcy Cain wrote: [...snip...] > Are admins getting dumber or is the software (py-policyd in our case) > getting tougher?
You'd be surprised how many people who would identify as being technical or worse, mail admins, still don't fully understand how SPF works. That includes not keeping their SPF tidy and falling foul of the ten lookup limit. Add to that some major ESPs still recommending that their customers create / replace their SPF with "v=spf1 +include:spf.esp.com ?all" Plus, some mailbox providers recommending that their customers create / replace their SPF with "v=spf1 +include:spf.provider.com -all" And, at least one major DNS provider still letting their users create depreciated "SPF" type records. The all to common "cut and paste" admin is not well served. > What do others think is best practice? Should we treat broken SPF > records as if there was no record and just not check the sending server? This approach is taken by many mailbox providers. I don't think treating an invalid SPF as the equivalent of none being present is a controversial position anymore. [...snip...] > They simply contact our users saying that it must be our problem. I have an ISP client with the same challenge. They don't accept email from sources not listed in the SPF (if present). If someone opens a ticket they use a 24h white-list which lets their user receive the mail and gives the sender time to resolve their SPF. It's worked for the last few years without issue. Ken. _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
