On Fri, Sep 5, 2014 at 3:01 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
If it really was more the former, there would be a "if your SPF records include:_spf.google.com, you can still do it" option, IMO.
Manager: So, you're saying if we just check the SPF record when they set up the account, we could still let them do it.
Tech: Yes, except if they also use DKIM; then it's a no-go.
Manager: Okay, so if their SPF record includes Google's and they don't have DKIM, then we'd be okay?
Tech: Yes...but if they don't have an SPF record when they set up the account and then add one later, we'd still be in trouble.
Manager: ...
Tech: I guess we could do periodic checks for SPF records on their domains and either disable sending or send them an alert if an SPF record is created that could problems?
Manager: ...okay...and then it'd be okay?
Tech: Well, if they don't have DKIM to start and then add it, that would also be a problem.
Manager: ...
Tech: ...but in addition to doing checks for new/altered SPF records, we could also do checks if they add DKIM after adding the account.
Manager: ...
Tech: ...or we could just turn it off.
Manager: Works for me.
The scenario largely rings true, except that I would think it reasonable to tell people that it if it breaks because they added DKIM, it's not Google's problem to fix. But your larger point is valid. Requiring Google for Work automatically means that Google is dealing with geeks who manage the entire domain, instead of chasing failure modes for individual end users. That being said, domain holders could signal that they're deliberately opting in domain-wide by using a different SPF include, like '_spf-fwd.google.com', and agreeing (with a checkbox?) that chasing DKIM is their baby. Royce