Autore: Rick Moen Data: To: dng Oggetto: Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
Quoting Andrew McGlashan via Dng (dng@???):
> They screw up greylisting, they screw up SPF and they screw up DMARC.
They didn't screw up SPF.
If you as the domain stakeholder of an SMTP-sending domain
deterministically know and can specify in SPF's flexible spec format
for DNS TXT records where _all_ your domain's legitimate mail will
originate, then you can use SPF to good effect to make forged sending
IPs detectable and rejectable at the time of SMTP receipt.
I happen to be able to thus specify. It's particularly simple in my
domain's case, because the sole authorised origin is one IPv4 address.
Therefore...
...Works for Me[tm]. (Please note that the '-all' means my DNS
recommends _permfail_ of non-compliant mail.)
Occasionally, I see claims in Linux forums, including in a discussion
two years ago on this mailing list, that SPF breaks on mailing lists.
This is simply not true. If it'd been true, I'd have noticed at some
point over the last couple of decades.
Domain owners for whom SPF does _not_ work include ones who insist on
originating port 25 unauthenticated SMTP from arbitary unplanned IP
addresses without that mail getting rejected as a suspected of being a
forgery. (Good luck with that.) For them, fortunately, even if they
take that rather impractical position, SPF still doesn't hurt them:
They retain the option of not publishing an SPF record, or one declaring
that their mail might originate from anywhere.
Oddly enough, I _can_ identify a time when my SPF record did hurt my
mail delivery. It was the afternoon of December 17, 2019, when because
of an ISP shutdown I had to re-IP my server for the first time in 18
years. Everything appeared to go smoothly, in part because I'd
shortened TTLs to 3600 many days in advance. Less than an hour after
cutover, one of my outgoing mailing list postings was rejected by
luv.asn.au on grounds that my own SMTP server supposedly violated my own
SPF policy.
Explanation: Someone there was for some reason retaining my old SPF RR
in cache longer than was supposed to happen. Problem did not recur.
;->