> On Mar 14, 2024, at 10:09 AM, Todd Herr
> <todd.herr=40valimail....@dmarc.ietf.org> wrote:
>
>
> In the ticket, I propose the following replacement text:
>
> ==================================================
> Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to take
> full advantage of DMARC, a Domain Owner MUST first ensure that either SPF or
> DKIM authentication are properly configured, and SHOULD ensure that both are.
+1
>
> To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as
> the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail that
> aligns with the Author Domain, and then publish an SPF policy in DNS for that
> domain. The SPF record MUST be constructed at a minimum to ensure an SPF pass
> verdict for all known sources of mail for the RFC5321.MailFrom domain.
A major consideration, Todd, is receivers will process SPF for SPF without
DMARC (payload) considerations. IOW, if SPF is a hardfail, we have SMTP
processors who will not continue to transmit a payload (DATA).
DMARCBis is making a major design presumption receivers will only use SPF as a
data point for a final DMARC evaluation where a potentially high overhead
payload was transmitted only to be rejected anyway,
> In the ticket, I propose the following new text:
>
> ==================================================
> To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing
> domain (i.e., the d= domain in the DKIM-Signature header) that aligns with
> the Author Domain.
> ==================================================
In order to maximize security, the Domain Owner is REQUIRED to choose a …..
Is REQUIRED the same as MUST? I think SHOULD or MUST is fine as long as we
specify the reason it is required,
—
HLS
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc