Colleagues, After reviewing the "Another point SPF advice" thread and Murray's separate post re: SHOULD vs. MUST, I have opened issue 132 on the topic:
The current text of section 5.5.1, Publish and SPF Policy for an Aligned Domain, reads: ================================================== Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376]], in order to take full advantage of DMARC, a Domain Owner SHOULD first ensure that SPF and DKIM authentication are properly configured. As a first step, the Domain Owner SHOULD choose a domain to use as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail, one that aligns with the Author Domain, and then publish an SPF policy in DNS for that domain. The SPF record SHOULD be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain` ================================================== In the ticket, I propose the following replacement text: ================================================== Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to take full advantage of DMARC, a Domain Owner MUST first ensure that either SPF or DKIM authentication are properly configured, and SHOULD ensure that both are. To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail that aligns with the Author Domain, and then publish an SPF policy in DNS for that domain. The SPF record MUST be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain. ================================================== In addition, the last paragraph in section 5.5.2, Configure Sending System for DKIM Signing Using an Aligned Domain, reads: ================================================== The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d= domain in the DKIM-Signature header) that aligns with the Author Domain. ================================================== In the ticket, I propose the following new text: ================================================== To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing domain (i.e., the d= domain in the DKIM-Signature header) that aligns with the Author Domain. ================================================== Further notes on the threads that gave rise to this ticket: - I do not believe that recommending the use of the ? modifier in an SPF record configured for DMARC is appropriate, since as I understand the ? modifier, the result produced is not "pass", but rather "neutral", which is the same as "none". Therefore, an SPF record using ? would not produce an aligned pass to be used with DMARC. I am willing to be convinced that I'm wrong here. - That said, I think there is room for discussion of too-permissive SPF records and the cross-user forgery discussed in RFC 7208 Section 11.4, and I will open a separate issue for that to expand on section 8.1 -- Todd Herr | Technical Director, Standards & Ecosystem Email: todd.h...@valimail.com Phone: 703-220-4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc