On Fri, 2020-01-24 at 14:02 +0100, Renaud Allard via mailop wrote: > > On 1/24/20 12:28 PM, Jaroslaw Rafa via mailop wrote: > > In my opinion, "-all" is good only when it is the *only* entry in the SPF > > record, ie. SPF record indicates that the domain does not send mail *at > > all*. > > In all other cases, I think that even if original SPF record specifies > > "-all", the receiving server should override this and interpret it as > > "?all". > > > > I tend to disagree. If you allow every IP to send mail on your behalf, > then why even bother putting an SPF record. For me, only -all makes > sense, all others are just as meaningful as having no SPF records at all.
Both SPF and DKIM are most useful as tools to allow DMARC to pass. ~all is perfectly suited to this. It allows most messages to pass SPF without hard-failing forwards (although I agree that almost no one bounces on an SPF hard fail anyway, so -all probably works just as well for most cases). And you hope your DKIM signature survives forwarding in most cases so it will allow the SPF fails to still pass DMARC. In neither case are you trying to identify messages that fail, you are trying to identify messages that pass. You are just trying to provide accurate signals to recipients about messages sent from authenticated sources so they can differentiate them from ones that aren't. And none of this helps get mail to Gmail from a 0-volume host at a generic VPS. You probably can't. Your surrounding network is full of spammers and phishers running on their own or hacked servers, and Google has no reason to think you aren't just one more. The bad guys use SPF too.
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
