Levine makes a good point. A less complex option would be:
auth=dkim # apply dkim only, ignore spf, dkim failure is
dmarc=fail
auth=spf # apply spf only, ignore dkim, spf failure is
dmarc=fail
the default auth=dkim,spf SHOULD NOT be explicitly be required. It
adds no additional security value. I would like to note that some DNS
Zone Managers with DMARC record support will add the complete tags
available for the protocol with the default conditions making the
record look more complex than it really it.
Other system integration options would (forgive me for I have sinned):
atps=1 # we support ATPS protocol for 3rd party signer.
rewrite=1 # we are perfectly fine with Author Rewrite
--
HLS
On 6/22/2023 10:18 PM, John Levine wrote:
It appears that Emil Gustafsson <e...@google.com> said:
I don't know if there is a better way to encode that, but I'm supportive of
making a change that that would allow domains to tell us (gmail) that they
prefer us to require both dkim and spf for DMARC evaluation (or whatever
combination of DKIM and SPF they desire).
I really don't understand what problem this solves. More likely people
will see blog posts telling them auth=dkim+spf is "more secure",
they'll add that without understanding what it means, and all that
will happen is that more of their legit mail will disappear.
If you're worried about DKIM replay attacks, let's fix that rather
than trying to use SPF, which as we know has all sorts of problems of
its own, as a band-aid.
R's,
John
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
--
Hector Santos,
https://santronics.com
https://winserver.com
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
