Comment by kbolino
1 month ago
I'd also like to see an update to DMARC so you can require both SPF and DKIM in your policy, instead of just one out of the two.
1 month ago
I'd also like to see an update to DMARC so you can require both SPF and DKIM in your policy, instead of just one out of the two.
Terrible idea, SPF is very hostile to (legitimate) forwarding. In general SPF should actually die.
If you have trusted forwarders, you just add them to the SPF policy (which can be recursive, though there is a pretty low limit on how many records can be looked up). I've not had an issue with this, personally. However, assuming DKIM can be tightened up as proposed above, I'm not sure SPF would be necessary anymore.
There are quite a few problems with that. Biggest issue is that it would require the domain owner's explicit cooperation with each forwarder. It would also allow more than just forwarding existing letters. Real-life shows that SPF really doesn't work with forwarders and it probably never will.
7 replies →