On 2018-04-12 05:41:46 (+0800), Carl Byington wrote:
While checking dmarc, we check for dkim signatures. If that fails, we look for spf records. A very small number of those contain mx: tokens. While chasing a bug in my code, it became obvious that almost everyone misuses those, and they really meant to use a:some.name

Where you say "almost everyone", you presumably mean "almost everyone of the very small number of SPF users who specify mx: tokens".

So we could (do what they want) interpret mx:mail.example.com as if it were a:mail.example.com - we won't be rejecting mail that the sending domain intended for us to accept. But that just hides their error and possibly increases the chances of yet more folks making the same mistake.

As others have pointed out: that's a terrible idea. Do what the RFC says.

If the number of sits misusing mx: is small enough, you could contact them to fix their problem. With any luck, the bounces will get them to fix their problems by themselves.

Alternatively, you could whitelist those domains.

What does your code do when it sees mx:mail.example.com, where there is no mx record, but there is an a record?

I use libspf2. It does what the RFC says. That's what standards are for...


Philip Paeps
Senior Reality Engineer
Ministry of Information

mailop mailing list

Reply via email to