On 2022-01-10 at 23:00:43 UTC-0500 (Tue, 11 Jan 2022 05:00:43 +0100) Fourhundred Thecat <400the...@gmx.ch> is rumored to have said:
Hello, is it safe to ban senders that generate SPF Softfail ?
No.
policyd-spf: prepend Received-SPF: Softfail I have pasted full header here: https://ctxt.io/2/AABg5vIYEw What I am asking is, are there situations where legitimate sender (non-spam) would generate soft fail?
Yes. That's the whole reason softfail exists in SPF. Not every domain has a statically definable set of legitimate SMTP client IPs.
The best example is simple traditional forwarding. On most unix-like systems any user can put an address in ~/.forward and have all of their local mail forwarded to that address *without changing the envelope sender*! Traditional 'alias' file entries work the same way, preserving the envelope sender on the forwarded mail. This has been reliably breaking SPF for almost 2 decades. That fact has never had enough impact to get everyone to deploy SRS (which can be a massive headache) or to stop using "-all" in SPF records. Unless you want to be cannon fodder in the war on transparent forwarding, rejecting mail absolutely based on a SPF softfail (or even a SPF strict fail) is a choice that will be regretted on any mail system of middling scale. Huge providers (M365, GMail, GMX, Yahoo, etc.) can do enforcement of hard fails because they offer self-serve mitigations and can tolerate a constant murmur of unhappy users.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire