John, I have an incredible amount of respect for you and your work, so I hope our disagreement is only because we're talking past each other.
The receiving MTA has many tools to choose from when they apply spam filtering to incoming email. They may filter on sending IP, key words, score the message based on various elements of the message and other contextual data. There is no silver bullet and no regulatory mandate on exactly how it is to be done, and the receiving MTA's chief accountability is to its own customer, the intended recipient of the message. All that said, one of the ways for a sending domain to communicate to the receiving MTA how a message from their domain is to be treated is SPF. The SPF standard has described a reasonable range of actions, and when the sending domain selects "-all" they are communicating in the strongest terms possible what they want the receiving MTA to do with the message. Again, the receiving MTA doesn't have to do SPF checking and they don't have to even respect what the sending domain specified in that SPF record, but what I don't understand is how the receiving MTA retains the primary burden to still deliver message when the sending domain specifies "-all". To ignore the sender's explicit request is to claim that the receiving MTA knows better than the sending domain what do with the message. Now, it is possible, as has been laid out, to use the same tools that one regularly uses to assess a message and then decide to ignore the action items specified in the sending domain's SPF. If the receiving MTA does that, and does it well, the recipient wins. Do it wrong, and the sending domain's (best) intentions were frustrated and receiving MTA's customers were done a disservice (hopefully minor, but potentially more major if it was a phish). In regards to DMARC, do you feel so strongly about DMARC that you believe any mail operator that doesn't support DMARC processing on message receipt is doing a poor job? Frank -----Original Message----- From: John R Levine [mailto:jo...@taugh.com] Sent: Saturday, May 20, 2017 11:59 AM To: frnk...@iname.com Cc: mailop <mailop@mailop.org> Subject: RE: [mailop] Many SPF failures lately On Sat, 20 May 2017, frnk...@iname.com wrote: > Are you saying that checking the box on our commercial spam filtering > system’s “check SPF” feature, which quarantines messages that have SPF > failures (-all), was a poor decision on my part? If it does that on a simple SPF failure with no other indication that a message is spam, yes.* I expect that's the sort of thing Neil was referring to when he mentioned firing offenses. > I don’t understand what DMARC has to do with this – a sender who > implements an SPF record should not the assume the receiver has also > implemented DMARC checking. Now I must say that I am really, really glad that I am not one of your mail users. Just for starters, why do you think that DMARC checks both SPF and DKIM and applies the policy only if they both fail? R's, John * - disregarding the special case of an SPF record that contains only -all, meaning that a domain sends no mail at all. But I don't think that's what we're talking about here. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
