[Mailman-Users] SPF best practices?

[Mark Sapiro]

On 08/23/2015 10:59 AM, Stephen J. Turnbull wrote:
> Mark Sapiro writes:
> 
>  > The scenario is your list member is user at example.com.
>  > user at example.com is set to forward all mail to example_user at yahoo.com.
> 
> Heh.  This user is screwed if you use dmarc_moderation_action too.


I don't think so. The munged From: will be from the list's domain which
probably doesn't publish a DMARC policy, but even if it does, it
*should* also be DKIM signing the outgoing mail.

The forward shouldn't alter the message in ways that break the list
server's DKIM sig so at the ultimate receiving end the message has a
valid DKIM sig that aligns with the From: domain.


> Bottom line: Friends don't let friends use Yahoo! or AOL.


+1

As an aside, perhaps a more telling example of how SPF is broken is the
following. example.com publishes an SPF with '-all'. user at example.com
sends a message to postmaster at python.org which is an alias for a few
people's addresses on other hosts. If all those end recipients check SPF
they may reject the message with envelope from user at example.com because
it comes from a server at mail.python.org which isn't allowed to send
mail with envelope from the example.com domain.

You can never know if any of your intended recipient addresses pass
through such a relay, thus my opinion is if you're concerned about your
mail being delivered, you can't use SPF -all.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan