Yeah, blocking on SPF -all is scary, really people shouldn't. But I'm guilty of implementing it that way myself, so who am I to talk? Maybe it's more that it's fine if you want to do it as a crazy hobbyist, but if you're one of the biggest mailbox providers on the earth...it's not a great idea.
The problem is that even if you have DMARC in place, it is VERY easy to configure SPF checking so that SPF-failing mail is blocked at the edge...you never get far enough to denote DKIM passing. Having accidentally configured OpenDKIM and Python-PolicyD-SPF this way myself in the past, I imagine others likely have to, and not everybody's smart enough to notice when the edge cases are getting weird. It also depends on whether or not you want to really rely on DMARC or not. If so, ~all would stop SPF alone causing a bounce, but still leave things up to DMARC as far as rejecting or not ... so DKIM would be considered. Assuming it's all configured correctly on the receiving side. So, ~all is the way to go given that if done in conjunction with DMARC, you're still telling the world to reject faked mail, but in a slightly more safe manner. Cheers, Al Iverson -- Al Iverson / Deliverability blogging at https://www.spamresource.com Subscribe to the weekly newsletter at https://ml.spamresource.com DNS Tools: https://xnnd.com / (312) 725-0130 / Chicago (Central Time) _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop