Re: [dmarc-ietf] [spfbis] Should we encourage the use of SPF "soft include" for common platforms?

Brandon Long <> Sat, 09 March 2019 00:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 515AF128CE4 for <>; Fri, 8 Mar 2019 16:37:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Cz9N6qx4cUtU for <>; Fri, 8 Mar 2019 16:37:04 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 73B4412867B for <>; Fri, 8 Mar 2019 16:37:04 -0800 (PST)
Received: by with SMTP id i68so5002159vke.6 for <>; Fri, 08 Mar 2019 16:37:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gDBZUQsGuLcXRlFManK0ZV4FBVuB2uLbr8vY75gahYI=; b=h2Z+XEAQ4QcsL+1wyTN4aX2818VY6yysYZ0cavLIoGoz53HKJDjxhzCfsvXULXSHi9 VJNDNqwDGsWvcfyfGuPS2454VaIkHjA5lpX5PviDY1f1bppi0xfBii9BSPEVJ7Zcz60f gCGChZvyWGGpqxE/1mpApFmW9NsgtxR79NN205huRLIYZiXYFurYI03qqNBfbJeaxud1 OGx3ArDriGSxY7A5bYhBFZxjg7plufn5Ny+Ti4EGzfSLmKbXCyU1PpHS87Sp1w//hs2A OPI/BDxWDJiy2Mq98uI00XSfNeFRvoSVCm7K7kca47inaZoDwjDbElKKWoCbY6z0+h75 39cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gDBZUQsGuLcXRlFManK0ZV4FBVuB2uLbr8vY75gahYI=; b=bUg4C8aeHio/2Ti5ThT99s/CXA0HMR/OdPhTWNDa7eMUfhPnn10ZHneZ9RJwMcyYm/ HMnzmi4QbZqSEnO1Q67Qhj0J1eElR+jHnqGa7HJetJtAG504EAV+tLomYOjcoXMZtFiZ gc5eiav+SkgTf3K6UH1gKWsBR9gBXEpswclwJzij3oqAwwUcGq0NFaPxIioKtxlvFxIP 0x6Tfsmo3S73EkhJY66w9ZlKlRLLXE1WmdgnjiH7PZU9qZMDDF+LD5wIOtLLG+uY3gnC 0BHay8Id45pB2xgaA8BPmj83m6iyRPqoeL9r1XyPnhqVvjHkDXEbMy8W7tFHZgtq94Cg K2Qw==
X-Gm-Message-State: APjAAAUuKGhjE2CruDtc9rliFei7w4cI9FHJ1hVlKSNkQMfqDXjg32NG PXu35g/1qopm6F/QZbP8jysqC8CwY7Y0KGCDMH9j
X-Google-Smtp-Source: APXvYqwqLoh04D9YJ/LcYbzAx9KZe3Vd/rFH0b11m5iNAGawFUGTe2qc8xU5IVvHPuqyNckYjMYPp7YNlQgAk9LJB78=
X-Received: by 2002:a1f:b754:: with SMTP id h81mr10716866vkf.64.1552091822917; Fri, 08 Mar 2019 16:37:02 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Brandon Long <>
Date: Fri, 08 Mar 2019 16:36:49 -0800
Message-ID: <>
To: Vladimir Dubrovin <>
Cc: "Kurt Andersen (b)" <>, "" <>,
Content-Type: multipart/alternative; boundary="000000000000c3f6df05839e89ae"
Archived-At: <>
Subject: Re: [dmarc-ietf] [spfbis] Should we encourage the use of SPF "soft include" for common platforms?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 09 Mar 2019 00:37:12 -0000

On Sat, Feb 23, 2019 at 11:35 AM Vladimir Dubrovin <dubrovin=> wrote:

> It's bad idea, because "?" does not grant SPF authentication. SPF is
> important even if message is DKIM signed and regardless of DMARC, because
> it authenticates envelope address. As an example, NDR/MDN  may not be
> generated to envelope address which is not SPF authenticated, we actually
> use this rule in practice to eliminate secondary spam.
> GSuite, O365 and large ESPs should not allow to use unvalidated/spoofed
> e-mail address. If somebody allows to spoof sender, there is also a good
> chance it DKIM signs spoofed message, because DKIM signature is applied by
> the same party.

Although we go through great pains not to allow you to generate new
messages with spoofed addresses, and we also are very particular about what
we will DKIM sign... we haven't been as particular with SPF.  I kept
meaning to create a new smtp-out IP pool that wasn't in our SPF record, but
given our SPF record was "all our IPs", that was never an easy task.  We
then could have used that pool for any message where we don't want to
potentially validate with SPF.

As to why we have any messages like that, its because of forwarding and
relaying.  And the cases where you should use your non-SPF IPs include
"same domain", ie if you get a spoofed message to a mailing list on the
domain, it shouldn't acquire SPF auth by virtue of going through the list.

The solution we've used for that now is ARC, we'll "remove" the spf auth of
a message if it has an spf=fail for the same domain in the ARC chain.


> 23.02.2019 21:07, Kurt Andersen (b) пишет:
> With the growth of huge platforms that emit mail from the same common set
> of IPs (such as GSuite, O365, or large ESPs), regular SPF "include" ends up
> granting a DMARC pass to a lot more potential authors than most
> organizations would necessarily choose to grant.
> Instead of using the standard "(+)include:" approach, if domain owners
> used "?include:" as their mechanism, then that would prevent the SPF result
> from granting a DMARC PASS result when traffic is coming from one of these
> massively included platforms. It would essentially force the DMARC result
> to be driven only by the DKIM evaluation.
> Thoughts?
> --Kurt Andersen
> (I'm copying the spfbis list too because there may be folks lurking there
> who are not on the DMARC list)
> _______________________________________________
> dmarc mailing listdmarc@ietf.org
> --
> Vladimir Dubrovin
> @Mail.Ru
> _______________________________________________
> spfbis mailing list