On 17-05-20 12:24 PM, Steve Atkins wrote:
On May 19, 2017, at 6:58 PM, Bryan Blackwell <br...@skiblack.com> wrote:
Hi folks,
Please pardon the noob question, just want to make sure this is what a proper
SPF record should look like:
example.org. IN TXT "v=spf1 mx ~all"
It's fine. I'd marginally prefer one that listed the source IP addresses
explicitly ...
skiblack.com. IN TXT "v=spf1 ip4:70.175.229.213 ~all"
... but that might require a little more maintenance, depending on how your MX
and smarthosts are set up.
"~all" is the smart policy to use; ignore those who tell you to use "-all" or
"?all".
Sorry Steve, but IMHO have to disagree.. if you ARE going to use SPF,
you should use -all..
Otherwise you might as well not use SPF.. and save the DNS queries..
Some have pointed out on the list the problem with 'forwarding', however
that is a forwarding problem, and not an SPF problem.
Since every email client out there can check multiple mailboxes, if you
want to properly take advantage of SPF as a recipient, don't do email
forwarding ;)
I like sending this link,
https://emailcopilot.com/blog/how-should-i-end-my-spf-record-all/
It shows that only 22% use -all, which IMHO opinion means not a lot of
faith in SPF records, but they put it in because it is recommended..
(Two year old stats though, btw)
If you are a bank, or any form of a phishing target, using -all is the
obvious choice.. yes, certain forwarding mechanisms will then fail, but
really it should, IF you want the benefits of SPF.. (if it was
forwarded, you are at risk of it being altered any ways)
Using +all is worse than no SPF record at all..
Will have to start running some stats of our own on this, but we aren't
'great' believers in it (SPF). However, if someone does have a '-all',
and they are a likely or proven phishing target, we do use that
information in our 'Known Sender Forgery' tools...
More efficient.. but yes, it will reject email forwarded..
We use a -all on some of our domains, and we do see 'bounces' on
occasion, but in those cases, even though they may be critical emails
that the sender should receive, the small amount of blow back is better
than the alternative.
We are also a proponent of 'stop remote forwarding', and some of our
ISP's are moving to this as a policy even. (Reduces support AND
backscatter and is good for business)
It would be interesting to see use cases for remote email forwarding
that remain in today's world.. and of course, there are standards for
rewriting sender domain when forwarding as well.
And as always, remember SPF is 'not' designed to be a spam protection
tool to be clear.. and most of the professional spammers have better SPF
records that legitimate companies ;) (Same with DKIM/DMARC)
But, as mentioned previously.. More important issues to address than
SPF, that will make the world a better/safer place.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop