On Jun 23, 2023, at 1:54 PM, John R Levine <jo...@taugh.com> wrote: > >> My understanding is that if `auth=dkim` then SPF would be ignored from the >> perspective of DMARC. So if a receiver sees DKIM is not DMARC aligned and >> only SPF is DMARC aligned then it would still be treated as a DMARC fail. > > That's my understanding. > >> It would be a way for senders to say "yes I checked that all my DKIM >> signatures are working and aligned, I don't need you to look at SPF and >> don't want to have the risk of SPF Upgrades. > > So why do you publish an SPF record? Presumably so someone will accept your > mail who wouldn't otherwise, except you just said they shouldn't. Still not > making sense to me.
I believe because the domain may still want the restrictive SPF -ALL and DMARC p=reject or p=quarantine for normal direct messages but they recognize users will be contacting people where a SPF will fail due to a forward. If you remove the SPF record or weaken it with ~ALL or ?ALL, then it weakens the majority of non-forwarded direct transactions. The proposed tag `auth=dkim` will indicate to gmail that SPF failing is ok as long as the first party DKIM signature is still intact. It’s weaker but would be less problematic than it is today. Today, we can modify the return path for the forward or don’t allow for forward and make the (gmail) user pick up the mail via POP3/IMAP. No forwarding. — HLS _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
