|
|
|
|
|
|
by chuckadams
893 days ago
|
|
|
SPF only authenticates the envelope-from, whereas it's DKIM that takes care of the From: header. Without DKIM, one can easily do "EHLO randomspamdomainboughtyesterday.com" and "From: accounts@citibank.com". SPF is about the transport, DKIM is about the content. And to round it out, DMARC tells the receiver what to do when the SPF or DKIM tests fail, namely "report", "quarantine", or "reject". Not sure why they're requiring it when it doesn't affect a spam verdict. Maybe it's so those who run a misconfigured server can't complain if their mail is being dropped silently, google and yahoo can just tell them to switch the policy to "report". |
|
|
DKIM would be used only if SPF does not "pass", if there. DNS SPF is inappropriate for those email provider implementing DNS trickery which cannot work with DNS SPF. For DNS SPF to "pass", not only the SMTP prolog and transactions must be evaluated, but also some header fields (from:,reply-to:).
For instance, if you are self-hosted and your SPF DNS entry does match the domain in the SMTP prolog/transactions and the header fields, your spam score will be significantly lower.
With no-DNS email servers, you don't have the SPF DNS indirection and can directly check the IPs ( bob@[x.x.x.x] alice@[ipv6:... )] for spam scoring.
That said, the real worst are those sys admins blocking instead of enabling grey listing.