Hello,
example.com => RCPT TO: <user2(_at_)domboxmail(_dot_)com>
domboxmail.com => 550 Restricted Box. Unauthorized and Unverified
Sender. Please configure SPF or Send this mail from one of your MX
server IP address
This is not backward compatible and does not work with indirect mail flow. As
an example, for aegee.org no SPF records
will be installed and the MX records will not be adjusted. It is up for every
user to choose which server it will use
to send emails. The lack of enforced DMARC validates this statement, somehow.
I *guess* for iki.fi the situation is
the same. The iki.fi provider handles only incoming emails, how users send
emails is up to the user (I guess).
So it likely works with most setups, but if users want service that works with
all email flows, your system will not be
first choice. Compare to having a system that does not accept * (asterisk)
sign in the local part of the email address
- such host cannot accept all valid emails.
Regards
Дилян
As I mentioned earlier, my system is designed in a way to deal with spam
mails without wasting bandwidth. So all validation mechanism happens before
the DATA command..
On Wed, Sep 25, 2019 at 4:55 PM Alessandro Vesely <vesely(_at_)tana(_dot_)it>
wrote:
On Wed 25/Sep/2019 12:29:44 +0200 Viruthagiri Thirumavalavan wrote:
In my system, challenge/response methods applicable only for "verified
strangers". When the MAIL FROM says that the mail is coming from
john(_at_)example(_dot_)com <mailto:john(_at_)example(_dot_)com>, our
system going to fetch the MX
record and check whether the mail is really coming from example.com
MX /receive/ mail, mailout hosts may differ and, in large sites, they
typically do.
Since we are talking about human-to-human mails here, we are expecting the
mail from one of your MX servers. We also check SPF record and A record.
If
the mail is not coming from any of those IP addresses, we actually reject
the mail.
SPF works better. However, consider the analysis depicted here:
https://en.wikipedia.org/wiki/File:Mailflows-reloaded.png
Many consider reject-on-SPF-fail dubious, which is why most mail sites have
~all instead of -all. Rejecting on non-pass is definitely bad. DMARC needs
simultaneous non-pass of both SPF and DKIM in order to reject. However, the
most diligently authenticated messages are spam.
Best
Ale
--
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp