On Wed, 24 Jan 2018 14:20:57 -0800 (PST) John Hardin <jhar...@impsec.org> wrote:
> > At this point, I would be willing to penalize sites with bad SPF > > records (syntactically invalid; more than one different SPF record > > attached to the same domain, etc.) Those people really deserve > > penalties because they've messed up. > Does that include "+all" or authorizing more than a class-b space > through any method, which I'd characterize as "malicious" rather than > "messed up"? +all is malicious for sure. More than a Class-B might just be bad planning AKA Microsoft's outbound IP address list. However, a malicious actor can use the "exists:" mechanism to simulate +all in a way that can't easily be proven by an SPF evaluator. :( I would like to see the exists: mechanism tossed. Regards, Dianne.
