On Thu 14/Mar/2024 18:35:05 +0100 Scott Kitterman wrote:
On Thursday, March 14, 2024 11:27:03 AM EDT Alessandro Vesely wrote:
On Thu 14/Mar/2024 15:09:37 +0100 Todd Herr wrote:
[...]
In the ticket, I propose the following replacement text:
==================================================
Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to
take full advantage of DMARC, a Domain Owner MUST first ensure that either
SPF or DKIM authentication are properly configured, and SHOULD ensure that
both are.
To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as
the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail
that aligns with the Author Domain, and then publish an SPF policy in DNS
for that domain. The SPF record MUST be constructed at a minimum to ensure
an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom
domain.
==================================================
Wouldn't you at least add "trusted", "ensure an SPF pass verdict for all
known, trusted sources of mail"? To avoid mandating an insecure behavior.
Consider:
_ Hey dude, they're spoofing your domain with a tide of phishing.
_ How come?
_ You have an include:phisherman.example in your SPF. Remove it.
_ No, since they occasionally send a true message from us, the RFC says I
MUST keep it.
[...]
I think that's issue 135, not this one.
SPF it treated in multiple places. We cannot warn against a bad practice in
one place (135) and recommend it unconditionally in another (132).
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc