Hi Douglas,
Thank you for your insightful summary of our paper. I'd like to share some of
my opinions.
You mentioned clients lose control of their SPF integrity. It's one of the key
problems exactly. Clients host their email services on email providers. They
are required to include email
Hi Everyone,
I am Chuhan Wang from Tsinghua University, the author of paper BreakSPF: How
Shared Infrastructures Magnify SPF Vulnerabilities Across the Internet.
Thanks Barry for sharing our paper presented at NDSS regarding the
vulnerabilities of SPF in this work group. I'm glad to see that
> On Feb 28, 2024, at 6:33 PM, Barry Leiba wrote:
>
> A paper was presented this morning at NDSS about the state of SPF, which is
> worth a read by this group:
>
> https://www.ndss-symposium.org/ndss-paper/breakspf-how-shared-infrastructures-magnify-spf-vulnerabilities-across-the-internet/
>
No rehashing, my technical opinion, clearly the semantics but both lead to:
“You SHOULD|MUST consider the documented conflicts before using the restricted
policy p=reject”
Question. Is p=quarantine ok to use? Or do we presume p=reject implies
p=quarantine?’'
All the best,
Hector Santos
Hi,
Section 5 has a paragraph that can fit Scott's solution to SPF spoofing.
Here's a possible change:
OLD
A Domain Owner or PSO may choose not to participate in DMARC
evaluation by Mail Receivers simply by not publishing an appropriate
DNS TXT record for its domain(s). A Domain
Sorry, I've been fooled by the page break.
Alessandro Vesely writes:
Hi,
it is not true that DMARC relies solely on SPF authentication.
OLD
* SPF, [RFC7208], which can authenticate both the domain found in an
SMTP [RFC5321] HELO/EHLO command (the HELO identity) and the
Hi,
it is not true that DMARC relies solely on SPF authentication.
OLD
* SPF, [RFC7208], which can authenticate both the domain found in an
SMTP [RFC5321] HELO/EHLO command (the HELO identity) and the
domain found in an SMTP MAIL command (the MAIL FROM identity). As
noted
