On Thu, Jan 22, 2015 at 5:03 PM, Scott Kitterman <skl...@kitterman.com> wrote:
> On January 22, 2015 6:35:59 PM EST, Kurt Andersen <kb...@drkurt.com> > wrote: > >On Thu, Jan 22, 2015 at 3:30 PM, Scott Kitterman <skl...@kitterman.com> > >wrote: > > > >> If I were configuring and SPF verifier to provide an input to DMARC > >> processing, then I would probably configure it not to reject based on > >> SPF fail. Then the problem doesn't arise. > > > > > >Are you suggesting that the DMARC spec should say that people SHOULD > >configure (some would say usurp) SPF in such a way? I seem to recall > >some > >contentious discussions about such usurpation during SPFbis (though I > >could > >be conflating arguments from another context). > > Of course. Section 6.7 discusses this in general terms. If you want to > only use SPF as an input to DMARC, then it wouldn't make sense to set up > your system to reject mail just based on SPF. > > Specifying receiver policy was somewhat contentious in SPFbis. In the > end, RFC7208 specifies almost, if not, exactly the same amount of receiver > policy as did RFC4408 (almost none). > I think that the crux of the issue is this: 1) The DMARC spec was written with 4408 as context. That remains true today, except that in the meantime 7208 was finalized (thanks to SPFbis) and Murray was seeking to keep up with the times by following the "7208 obsoletes 4408" statement. 2) The key problem is that 7208 changes the checking precedence. Here's what the two specs actually say: 4408, section 2.2: "SPF clients MUST check the "MAIL FROM" identity." 7208, section 2.4: "SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check either has not been performed or has not reached a definitive policy. . ." My recommendation is to take -12 and amend it to change the SPF reference back to 4408 and let the WG wrestle through how to handle the change that was introduced in 7208. --Kurt
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
