On Wed 25/Sep/2019 12:29:44 +0200 Viruthagiri Thirumavalavan wrote:
In my system, challenge/response methods applicable only for "verified
strangers". When the MAIL FROM says that the mail is coming from
john(_at_)example(_dot_)com <mailto:john(_at_)example(_dot_)com>, our system
going to fetch the MX
record and check whether the mail is really coming from example.com
MX /receive/ mail, mailout hosts may differ and, in large sites, they typically
do.
Since we are talking about human-to-human mails here, we are expecting the
mail from one of your MX servers. We also check SPF record and A record. If
the mail is not coming from any of those IP addresses, we actually reject
the mail.
SPF works better. However, consider the analysis depicted here:
https://en.wikipedia.org/wiki/File:Mailflows-reloaded.png
Many consider reject-on-SPF-fail dubious, which is why most mail sites have
~all instead of -all. Rejecting on non-pass is definitely bad. DMARC needs
simultaneous non-pass of both SPF and DKIM in order to reject. However, the
most diligently authenticated messages are spam.
Best
Ale
--
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
