Wow, lots of comments. Thanks for participating in this discussion. I can't respond to everything but a few thoughts:
- I'm reaching out to support to ask if my headers have already been "munged" or if there is something else that can be done.
- I will definitely be moving to p=quarantine and p=reject.? If groups.io won't work with my custom domain, I'll change to a Gmail address.
- Jim, re. SPF, I'm not sure that include=groups.io even works, as that does not resolve to the sending IP. 66.175.222.108 is Linode and I don't want to allow everyone hosted there to send from my domain.
- Sending mail "on behalf of" can be convenient and has long historical precedent, but like most things in Internet space, as abuse rises, added security is needed. I fully expect that I as domain owner must explicitly authorize a select few senders by modifying my DNS. I like the way SendGrid implements this:? with a few custom CNAME records, they are able to SPF-authenticate and DKIM-sign messages on my behalf. But I'm willing to just a manual SPF modification if that is enough.
Meanwhile, Moldava is still bombarding from my domain:? 1900 messages yesterday.
