As of last Christmas, I am on 100% validation of Mail From:. Previously
unseen domains that cannot produce SPF PASS go to system quarantine.
After review, acceptable messages get a local policy to provide alternate
positive identification, usually of the form:. server domain name, fcDNS on
On Mon, Apr 3, 2023, at 8:30 PM, Douglas Foster wrote:
> I described my algorithm because I am surprised that some of these
> sub-optimal filtering problems exist.
I would have thought the DKIM domain to be a better authenticated identifier
than MailFrom domain; messages from ESPs are typically
I described my algorithm because I am surprised that some of these
sub-optimal filtering problems exist.
As a corollary: In an American bar, the bouncer checks I.Ds. on the way
in, so that the bartender does not have to check IDs on every drink.
Similarly, I assume that a major ESP has
On Sat, Apr 1, 2023, at 9:41 PM, Douglas Foster wrote:
> My approach to ESP traffic is simple. I assume that the ESP has authorized
> the account indicated by the From address, so I don't worry about Sender
> Authentication as long as the message passes SPF based on the ESP domain.
> DMARC
Thank you Jesse for your comments. You are focusing on the ESP problem,
which I had not given much thought.
ESP messages
My approach to ESP traffic is simple. I assume that the ESP has authorized
the account indicated by the From address, so I don't worry about Sender
Authentication as long
On Sat, Apr 1, 2023, at 8:04 AM, Douglas Foster wrote:
> For purposes of the following discussion, assume that messages from known-bad
> senders and messages with unacceptable content have already been blocked.
> The question at hand is how to handle Sender Authentication failure when a
>
For purposes of the following discussion, assume that messages from
known-bad senders and messages with unacceptable content have already been
blocked. The question at hand is how to handle Sender Authentication
failure when a message has no other objectionable characteristics.
There are three
