no more "Send through Gmail" option
Royce Williams
royce at techsolvency.com
Fri Sep 5 23:26:48 UTC 2014
On Fri, Sep 5, 2014 at 3:01 PM, Hugo Slabbert <hugo at slabnet.com> wrote:
>> If it really was more the former, there would be a "if your SPF
>> records include:_spf.google.com, you can still do it" option, IMO.
>
>
> Manager: So, you're saying if we just check the SPF record when they set up
> the account, we could still let them do it.
>
> Tech: Yes, except if they also use DKIM; then it's a no-go.
>
> Manager: Okay, so if their SPF record includes Google's and they don't have
> DKIM, then we'd be okay?
>
> Tech: Yes...but if they don't have an SPF record when they set up the
> account and then add one later, we'd still be in trouble.
>
> Manager: ...
>
> Tech: I guess we could do periodic checks for SPF records on their domains
> and either disable sending or send them an alert if an SPF record is created
> that could problems?
>
> Manager: ...okay...and then it'd be okay?
>
> Tech: Well, if they don't have DKIM to start and then add it, that would
> also be a problem.
>
> Manager: ...
>
> Tech: ...but in addition to doing checks for new/altered SPF records, we
> could also do checks if they add DKIM after adding the account.
>
> Manager: ...
>
> Tech: ...or we could just turn it off.
>
> Manager: Works for me.
The scenario largely rings true, except that I would think it
reasonable to tell people that it if it breaks because they added
DKIM, it's not Google's problem to fix.
But your larger point is valid. Requiring Google for Work
automatically means that Google is dealing with geeks who manage the
entire domain, instead of chasing failure modes for individual end
users.
That being said, domain holders could signal that they're deliberately
opting in domain-wide by using a different SPF include, like
'_spf-fwd.google.com', and agreeing (with a checkbox?) that chasing
DKIM is their baby.
Royce
More information about the NANOG
mailing list