I would say +all is always harmful. The difference between having +all and
not having any at all (or ?all) is that you affirmately, by using +all, tell
the system the email is genuine. If you somehow want to treat all emails as
unspecified or unknown, ergo dont want to reject, but you want to still
have a SPF so you dont get sent to spam folder for not having a SPF, you
can use ?all to force a neither genuine or fake result that should be
treated as no SPF at all in the actual validation system.
If you as a webshop would put +all on a SPF, and I got a email, that was
stamped as genuine in my email client, and I enter my card number on a
website that was linked in said email to correct an order, I would held you
accountable for every loss of money on that credit card, since you certified
the email as genuine, and affirmately told me (or my computer system), by
publishing a +all SPF, that I should trust that email to 100%.
+all in SPF, ergo a harmful action, may however have its usage in certain
situations, for example development or testing or SPF validation systems or
similar.
But then it SHOULD be done from specific test domains, like
dev.testing.example.com where example.com is your domain, so its clear,
from someone that receives a email from said domain, that they SHOULD NOT
trust it for anything.
Från: Hans-Martin Mosner via mailop
Skickat: den 8 juli 2023 09:27
Till: mailop@mailop.org
Ämne: [mailop] SPF +all considered harmful
Most likely none of you would consider adding +all to an SPF record a smart
move, here's another reason why you shouldn't do it:
Google cloud services are being used to spam (ongoing for a long time,
Google doesn't seem to care). What I noticed today is that the spammer is
using domains with SPF +all as sender and HELO domains, presumably hoping to
avoid SPF based rejections or quarantine.
This might lead to bad reputation for the domains involved...
Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop