Just for starters, I like this discussion, because it triggers me (and maybe others) to rethink our policies and look at new insights. The Myths and Legends link was very interesting for me for example.
So you're saying that this would just nullify all the other tests?
I'm not 100% sure about that, but I don't think so. The p=none is only Dmarc policy. So the Dmarc owner will get a testresult that SPF failed and DKIM failed and normally this would be blocked, but at least DMARC won't block it.
SPF might, so that might be the reason to better use ~all in combination with DMARC.
I received some DMARC reports from Google a few weeks ago that failed SPF because they were actually sent from a different IP address (one that I don't own). Is that what was going on there?
That might be. Could also be caused by the either the policy and/or percentage you set in the DMARC line.
I also sometimes get them when customers forward my mail. But in that case the mail should arrive. But in that case the SPF will probably fail because the customer is not allowed to send mail in behalve of my company. However, the original header is intact and DKIM will pass so the mail will be accepted (if I understood it correctly).
In this case I also get a SPF fail and DKIM pass DMARC report from Google.
Now suppose a spammer from a different ip uses my email adress, the email would be blocked because SPF will give a hard fail and DKIM is not aligned and I have a p=reject.
However, I've been testing before with p=none and pct=20. After that it went via pct=75 to pct=100 and p=quarantaine.
At this moment it's p=reject and pct=100.
So how would people be able to test their DMARC records, if ESF would check DMARC and block mails with SPF and DKIM not in line while the owner of the DMARC record has a policy let them pass for test?
The writers of those articles I shared before (and others) have argued that it makes more sense to pass this function to DMARC, rather than drop mail instantly for a single SPF fail.
Yes, when using DMARC, because that might be better when forwarding mails for example. There will not be an instant block on SPF already.
Indeed it says:
SPF specifies the servers that can send email for a domain.
But if ~all is used, *any* domain is allowed because it will only generate a softfail (so you can spoof all you want if I'm correct).
I've seen much more spam coming through on my server when ?all or ~all is used than when -all is used so that would be odd when reading the Myths and Legends of SPF link, which also says this:
Fact: In general, SPF authorization or lack thereof does not have a significant impact on the delivery of email messages.
Which I don't agree with. If I use -all, emails will be blocked when not coming from my server, so I don't understand how they can say it does not have a real impact on delivery because it does. However, there has to be an SPF check and that is the issue. The lack of the check is causing the unsignificant impact, because lots of even big ISP's do not even use an SPF check.
If they don't use this, I wonder if they even do a DMARC check. So I'm a bit stubborn about believing this particular fact.
Fact experience by myself. If no Dmarc is used (like on lots of hosts and isp's), there will be more spam arriving and more spoofing done when ~all is used, at least on servers who do an SPF check. I experienced this myself before I used dkim and dmarc. Stil found mails not from me, send by a spammer because they only got a softfail.
Indeed, this can cause issues on forwards, that is correct, so when used in combination with DMARC, it seems true that the ~all is better so things are passed to DMARC for getting investigated. Which would indeed mean the DA help file would need adjusting.
But this is -only- for systems which are really doing a DMARC check, to me it means if you send to systems not doing a DMARC check, spoofing will remain easy to do when ~all is used, nothing will be blocked.
So now I wonder if there is there a guarantee that all MTA's in the world (at least most hosters and most ISP's) are doing DMARC checks? If that is the case, I don't have to discuss anymore and we can use ~all in combo with DMARC.
But imho still not with SPF only records.
Something else which is really confusing to me.
-all can be used for domains that are not used for sending legitimate emails. DMARC considers -, ~ and ? as equivalents.
The second part I understand, but the first part I don't understand "are not used"?? I use -all and I'm only sending legitimate mails.
I'm not nativing English so I might miss the correct meaning of this.
So in short. I can agree that ~all might be better to be used when also DKIM and DMARC is used.
But I believe -all is better to prevent spoofing (and so spam), when DMARC is not used. And most hosting accounts still do not use DMARC if I'm correct.
hen clearly the incoming server's configuration is far too unforgiving, and that's where the real problem lies.
If I get an email which contains almost only links, it's mostly spam, so I personally don't see that as too unforgiving. The naughty words might not be used that much nowadays and the too little content maybe neither. So I agree there might be room for improvement in that text.