Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)

Thu, 14 Mar 2024 08:27:26 -0700 

On Thu 14/Mar/2024 15:09:37 +0100 Todd Herr wrote:

[...]

In the ticket, I propose the following replacement text:

==================================================
Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to
take full advantage of DMARC, a Domain Owner MUST first ensure that either
SPF or DKIM authentication are properly configured, and SHOULD ensure that
both are.

To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as
the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail
that aligns with the Author Domain, and then publish an SPF policy in DNS
for that domain. The SPF record MUST be constructed at a minimum to ensure
an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom
domain.
==================================================
Wouldn't you at least add "trusted", "ensure an SPF pass verdict for all known, trusted sources of mail"? To avoid mandating an insecure behavior. Consider: 

_ Hey dude, they're spoofing your domain with a tide of phishing.

_ How come?

_ You have an include:phisherman.example in your SPF.  Remove it.
_ No, since they occasionally send a true message from us, the RFC says I MUST keep it. 



[...]
Further notes on the threads that gave rise to this ticket:

    - I do not believe that recommending the use of the ? modifier in an SPF
    record configured for DMARC is appropriate, since as I understand the ?
    modifier, the result produced is not "pass", but rather "neutral", which is
    the same as "none". Therefore, an SPF record using ? would not produce an
    aligned pass to be used with DMARC. I am willing to be convinced that I'm
    wrong here.
The drastic solution for those who unwittingly chose a non-filtering provider is to remove the SPF record altogether. The compromise is to use the neutral qualifier. If we mention that —which I think we should— we should also add that DKIM is necessary for such mail flows. 


Best
Ale
--








_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to