Conversation

Epic thread I interpret as evidence of what garbage SPF is.
Quote Tweet
Hey, so y'all know SPF, the Sender Policy Framework, right? It's straight forward, isn't it? I mean, client connects, you check envelope-from, client IP, and (what else) a DNS record, and then make your call. Well. Turns out there's (a bit) more to it. Let's take a look...
Show this thread
1
6
Replying to
SPF barely accomplishes anything by itself since it passes based on MAILFROM rather than only FROM. It doesn't really provide anti-spoofing when the user visible source address doesn't need to be valid. DMARC works well but it would work fine with only DKIM existing and no SPF.
1
1
Replying to and
DKIM works so much better with how email actually works in practice being passed through relays, etc. Mailing list software rewriting people's emails never should have been a thing instead of standardizing more headers like List-Unsubscribe. It's annoying it's still a problem.
1