HUGE cringe ;-) DMARC has an explicit policy that either SPF or DKIM must pass aligned. This proposal breaks that foundationally.
This is suggested quite frequently, but fails to understand just how few senders of email actually send with DKIM. Most email is sent from services that have a core business that's not in email, and when we're lucky, they manage to publish an SPF record for their customers to use. Only large volume sophisticated services tend to do DKIM. A domain owner that requires everything that sends on its behalf to use DKIM basically shoots itself in the foot, and makes most of the services they'd need to use unavailable to themselves. The correct answer is what you said: domain owners who want this should only authenticate services using DKIM. Seth On Mon, Jun 14, 2021 at 10:10 AM Brotman, Alex <Alex_Brotman= 40comcast....@dmarc.ietf.org> wrote: > Hello, > > I was talking to some folks about DMARC, and a question came as to suggest > as the domain holder that your messages should always pass DKIM. > Effectively, the asker wants to say "I intend to deploy SPF and DKIM, but I > will *always* sign my messages with DKIM." So the obvious answer may be > "Just only use DKIM", but I'm not sure that completely answers the > question. While discussing with someone else, "Tell me when DKIM fails, > but SPF is fully aligned". There was recently an incident at a provider > where they were allowing any sender to send as any domain (and I'm aware > that's not specifically a DMARC issue). We all know brands that have just > dumped in a pile of "include" statements without fully understanding the > implications. In this case, other users could send as other domains, but > perhaps they would not have been DKIM signed. Should there be a method by > which a domain holder can say "We want all message to have both, or be > treated as a failure", or "We'll provide both, but DKI > M is a must"? > > >From a receiver side, it makes evaluation more complex. From a sender > side, it gives them more control over what is considered pass/fail. > > How does this look in practice? Maybe > "v=DMARC1;p=quarantine;rua=...;pm=dkim:must,spf:should;" > (pm=Policy Matrix) > > Does this make everyone cringe, or perhaps worth a larger discussion? > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse & Messaging Policy > Comcast > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > -- *Seth Blank* | VP, Product *e:* s...@valimail.com *p:* 415.273.8818 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
