On Mon, 8 Jan 2024 02:40:39 -0800 Ron / BCLUG via talk <talk@gtalug.org> wrote:
ac via talk wrote on 2024-01-08 02:22:
the ~ means if it is not from your servers it is also okay.
the - means ONLY from your severs.
The link I posted earlier (linuxbabe.com) had an interesting take on "~" vs "-" and why the former is preferable:
I do not know this website, sounds like a general self help or newbie support type site? for real/working technical and real/working production servers and settings the best is to look/read/study the RFC link in my previous reply. RFC generally guides us on how things work (or should work)
If a multi-host (postfix) site receives your mail (like Google?) and it gets relayed between their servers (perhaps main one is down for maintenance), and the final server gets the mail from the backup, sees "-", it may reject it.
uhm, no. this is just not how it works. If you include +mx in your SPF any changes to your zone or MX PRI will automagically be included in +mx as mx is also multiple/all records as defined in your zone (or even properly delegated zone)) IF your +mx is not updated/broken in your zone, or an undefined server/IP has taken over your actual mx without any updates in your zone, your email will be broken anyway and any.example.com will be able to send and receive email as your domain. you will have larger problems than me bouncing or -all realy (and who bounces on -all anyway?) you should SCORE -all as part of your SCORING. and, if you are trying to say that GOOGLE.com sends or realys your email - then you need to include GOOGLE.com in your SPF as they are YOUR SENDER? there is just nothing else to say or other correct technical opinions to have because --> it is what it is :)
Not sure if this is correct, but did cause pause for thought and am considering changing "-" to "~" on my domains.
hmm, and these things are technical science and is not really about "feelings" so no, as this imnsho is not the best and you should not even be thinking about how you feel. You should be thinking : "What do I want" and "What do I want to do" and the next thought should be : "How do I tell others that this is what I want to do" and not wonder about how you feel about it :) I tried speaking to someone the other day who "felt" that the earth was flat. It is just very difficult to negotiate or even chat with someone who has strong "feelings" about science and similar stuff... But if you "feel" that you have to change your dns records, go for it :) If you change it to "~" then anyone on the planet can send email as originating from your email address. So how it works in practise for me: If I receive email and SOFT FAIL (not in your SPF) I score it a +1 to +3 somewhere (depending on how strict/hard that specific email server of mine is) If I receive email and HARD FAIL (not in your SPF) I SCORE it a +4 to +8 somewhere (depending on how strict/hard that specific email server of mine is) So, it is all about scoring - if you reach a high enough score I never receive your email and it is either hard bounce or, if small, /dev/nul so, having an actual working email system today is all about scores and scoring :) Anyway, as it relates to SPF (as per the current RFC) it is about what YOU want to happen. the "S" in SPF is "SENDER" (not RECEIVER) What do YOU want to tell recipients of YOUR email relay? do YOU want to tell them "~" accept email when sent from my domain from anyone on the planet? OR do YOU want to tell them "-" accept ONLY email from MY servers Of course, if you relay through GOOGLE - you DO NOT have to worry, google.com uses google.com all throughout their relay (which is actually one of the very few cool things remaining about google) BUT, If you relay through example.com and example.com then relays through example1.com who also relays through example2.com whom relays through any random email server out there - then you WILL HAVE to add "~" to allow example2.com to deliver your important mail communications wherever. hth Andre