Conversation

Epic thread I interpret as evidence of what garbage SPF is.

Quote Tweet

Hey, so y'all know SPF, the Sender Policy Framework, right? It's straight forward, isn't it? I mean, client connects, you check envelope-from, client IP, and (what else) a DNS record, and then make your call. Well. Turns out there's (a bit) more to it. Let's take a look...

Show this thread

Replying to

SPF barely accomplishes anything by itself since it passes based on MAILFROM rather than only FROM. It doesn't really provide anti-spoofing when the user visible source address doesn't need to be valid. DMARC works well but it would work fine with only DKIM existing and no SPF.

Replying to

and

DKIM works so much better with how email actually works in practice being passed through relays, etc. Mailing list software rewriting people's emails never should have been a thing instead of standardizing more headers like List-Unsubscribe. It's annoying it's still a problem.

2:31 AM · Sep 10, 2022Twitter Web App

Replying to

and

I strongly dislike how mailing list software approached DMARC by continuing to inject content into people's emails and bypassing DMARC by replacing the FROM address with their own address for that person. Can't understand why they couldn't just stop advertising list at bottom.