Re: Mailing list SPF Failure

[Michael Thomas <mike () mtcc com>]

On 5/16/24 3:54 PM, William Herrin wrote:
> On Thu, May 16, 2024 at 12:03 PM John Levine <johnl () iecc com> wrote:
> > It appears that Michael Thomas <mike () mtcc com> said:
> > > Since probably 99% of the mail from NANOG is through this list, it
> > > hardly matters since SPF will always fail.
> > Sorry, but no. A mailing list puts its own envelope return address on
> > the message so with a reasonable SPF record, SPF will normally
> > succeed.
> Exactly. SPF acts on the -envelope- sender. That means the one
> presented in the SMTP From:<> command. For mail from nanog, that's:
> nanog-bounces+address () nanog org, regardless of what the sender's
> header From address is.
>
> The message content (including the message headers) is theoretically
> not used for SPF validation. In practice, some SPF validators don't
> have direct access to the SMTP session so they rely on the SMTP
> session placing the envelope sender in the Return-path header.

Yes, and why is that needed? The mailing list resigning has the same 
effect and then you only need one mechanism instead of two and with DKIM 
you get the benefit that it's signing the 822 address which can be used 
for user level stuff in way that SPF is a little sus. So it makes SPF 
pretty irrelevant. IMO, SPF was always a stopgap since there was no 
guarantee that DKIM would be deployed. 20 years on, I guess I don't feel 
like I need to keep my trap shut about that.

If a receiving site is rejecting something solely based on the lack of a 
SPF record but has a valid DKIM signature, the site is broken IMO.

Mike