Open shoulders opened 7 months ago
So looking at these one at a time ... I'm not sure if using the name "Failure Qualifier" is a good idea, because it's not clear to the average person what this means. That's why I went with "Does SPF record cover all senders?" which I think better explains what it means.
Also, I don't think +all
is every an option we'd want to support since it allows all email ..
Why you should keep +all
all
option which is the same as +all
. (the Allow option)?all
is almost as bad and you have that one.+all
is possibly used for testing and is a quick way to make sure emails get delivered.Why failure qualifier is a better name
Action for other senders / Does SPF record cover all senders
to me, sounds like email accounts rather than IP addresses that are defined in the SPF record.SPF Failure Qualifier
to make it clearSpamassassin
i you set a SPF_FAIL = 10
and then if you set an auto-delete threshold to 5, the email is then deletedDMARC policy for emails that fail SPF or DKIM
- this speaks for itself.I just added these so I dont forget about them.
< default >
None
and kept. I removed it from my options above but it is valid.SPF and DMARC sections should be separated
A and MX records should be tested
A
and MX
records and their servers exist because the options don't allow control on this.SPF issues on Virtualmin.com (for reference) I did an issue a while ago because there was issues with your SPF for the domain sending me the registration verification issue
I am not sure it is fixed
Virtualmin's website SPF records are faulty - Cannot register on forum https://github.com/virtualmin/virtualmin-gpl/issues/560
Also, I don't think
+all
is every an option we'd want to support since it allows all email
I think using ~all
is more common as it provides a degree of protection while avoiding the risk of legitimate emails being rejected. I'd suggested using ~all
instead of ?all
(neutral) by default. What do you think?
I'd suggested using ~all instead of ?all (neutral) by default. What do you think?
-all
~all
is used ~all
is regarded as a fail in DMARC.Google is getting strict with accepting emails: https://news.ycombinator.com/item?id=36323137
Google is getting strict with accepting emails: https://news.ycombinator.com/item?id=36323137
Google historically recommended ~all
.
- Why as a default would i let spammers use my domain to send emails.
What if the mail is relayed?
Some email services will reject email if ~all is used
Which are those?
~all is regarded as a fail in DMARC.
DMARC policy decisions are based on SPF or DKIM passing and alignment, not just the SPF policy itself. ~all
, i.e. softfail alone does not cause DMARC to fail, as far as I know. If the SPF check passes, and the domain aligns with the "From" domain, then it counts as a pass for DMARC, regardless of the ~all
policy.
One thing I'll do for sure is make the field names for the SPF "all" mode consistent between server templates and the DNS Options page! And expand on the help ...
Google historically recommended ~all These are example default SPF statements.
~all
is definately historic.
- Microsoft:
v=spf1 +a +mx +ip4:31.31.31.31 +include:spf.protection.outlook.com -all
- cPanel:
v=spf1 +a +mx +ip4:31.31.31.31 -all
What if the mail is relayed?
- Should the headers not be re-written to prevent breaking DKIM?
- an article backing your side, and is a lot more technical than me: https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail
Some email services will reject email if ~all is used
I cannot give you any specific examples so might not be widespread, but I have come across it.
~all is regarded as a fail in DMARC.
~all
will still generate a fail as far as DMARC is concerned but this can be changed should you want it-all
set rather than ~all
which from my point of view should be set to -all
anyway. The exceptions where people require this change, then they can make it quite easily.-all
does a better job of reducing spam than ~all
So is the conclusion that it would make sense to set the default to -all
?
So is the conclusion that it would make sense to set the default to
-all
?
I'd suggest to set the default to ~all
. It is a much safer default than -all
.
The issue
While setting up my Virtualmin I found the SPF settings to be tricky to use and I will outline the reasons here. Overall the 2 sections should have unified options and be correctly named.
The 2 locations where you find SPF settings. Their issues will be listed below
Edit Template section: DNS domain (Server Template)
Virtualmin --> System Settings --> Server Templates --> 'Default Settings' --> Edit Template section: DNS domain
Failure Qualifier
(?all, +all, ~all, -all).Failure Qualifier
and have all 4 options correctly named as follows:Virtualmin --> System Settings --> Virtualmin Configuration --> Configuration category: SSL Settings --> Create TLSA DNS records for SSL certificates
- The tooltip makes out this enables it for all domains, not just the system domain.DMARC policy for emails that fail SPF or DKIM
is a radio option where as inDNS Options
it is a drop downDNS Options
Virtualmin --> Server Configuration --> DNS Options --> Action for other senders
Failure Qualifier
(?all, +all, ~all, -all).Failure Qualifier
and have all 4 options correctly named as follows:Reporting URI for forensic reports
andReporting URI for aggregate reports
Extra DMARC options
The built SPF record has some issues
If you goto![image](https://github.com/virtualmin/virtualmin-gpl/assets/319997/e3d2aa48-df75-49af-9d65-a7453cd3643d)
Virtualmin --> DNS Records
you can see the followingSwitches explained
a
= Allow the IP of the website (i.e A record) for sending emails = 31.31.31.31mx
= Allow the IP of the mail server (i.e. MX record) for sending emails = 31.31.31.31a:example.com
= Allow the use of the IP for example.com for sending emails - 31.31.31.31ip4:31.31.31.31
= Allow the use of the IP 31.31.31.31 for sending emails = 31.31.31.31?all
= fail qualifier is neutralBecause you have
a
andmx
you do not then need to define the IP and the domain with theip4:
anda:
switches.You need to keep
a
andmx
because they might have different IPs. The specified resourcesa:
andip4:
should only be used when a user has manually defined a resources or perhaps you have allowed the virtual IP.Maybe add options to use the
A
andMX
record in the SPF options rather than specifying the IP address.Resources