On December 5, 2021 12:23:40 AM UTC, "Murray S. Kucherawy"
<superu...@gmail.com> wrote:
>On Sat, Dec 4, 2021 at 2:35 PM Douglas Foster <
>dougfoster.emailstanda...@gmail.com> wrote:
>
>> I think this text was inserted because of an open ticket when discussion
>> was going nowhere and a new draft was created. Perhaps the originator of
>> that ticket can elaborate on his thinking.
>>
>
>I believe the admonishment against best-guess SPF was based at least in
>part on the sentiments found here:
>
>http://www.open-spf.org/FAQ/Best_guess_record/
>
>...which is to say it's apparently a discouraged practice.
>
>It makes it difficult for DMARC to be deterministic when the things upon
>which it's built behave in unpredictable ways. That's not to say this is
>unique though; DKIM, for example, allows verifiers to decide what an
>acceptable signature is (a favorite I remember from the early days was "I
>don't want to accept a DKIM signature that didn't cover the Subject
>field"), which again means one site's "pass" is another site's "fail".
Much like Dave's response about DKIM, I think what an SPF result is is well
defined. The so called "Best Guess" isn't an SPF result at all.
Implementation and interoperability requirements for SPF are defined by RFC
7208 (and formerly RFC 4408). Neither it nor it's predecessor ever defined
this. It's not implemented in Mail::SPF, which is the closest thing there is
to a reference implementation.
We already say to use DKIM and SPF. If you want an enumerated list of all the
things that aren't DKIM or SPF to tell people not to do, I think it would be a
long list. As far as I know, no RFC even mentions "Best Guess" and this one
should not be the first.
Scott K
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
