On Thu 14/Mar/2024 15:09:37 +0100 Todd Herr wrote:
[...]
In the ticket, I propose the following replacement text:
==================================================
Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to
take full advantage of DMARC, a Domain Owner MUST first ensure that either
SPF or DKIM authentication are properly configured, and SHOULD ensure that
both are.
To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as
the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail
that aligns with the Author Domain, and then publish an SPF policy in DNS
for that domain. The SPF record MUST be constructed at a minimum to ensure
an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom
domain.
==================================================
Wouldn't you at least add "trusted", "ensure an SPF pass verdict for all
known, trusted sources of mail"? To avoid mandating an insecure behavior.
Consider:
_ Hey dude, they're spoofing your domain with a tide of phishing.
_ How come?
_ You have an include:phisherman.example in your SPF. Remove it.
_ No, since they occasionally send a true message from us, the RFC says I MUST
keep it.
[...]
Further notes on the threads that gave rise to this ticket:
- I do not believe that recommending the use of the ? modifier in an SPF
record configured for DMARC is appropriate, since as I understand the ?
modifier, the result produced is not "pass", but rather "neutral", which is
the same as "none". Therefore, an SPF record using ? would not produce an
aligned pass to be used with DMARC. I am willing to be convinced that I'm
wrong here.
The drastic solution for those who unwittingly chose a non-filtering provider
is to remove the SPF record altogether. The compromise is to use the neutral
qualifier. If we mention that —which I think we should— we should also add
that DKIM is necessary for such mail flows.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc