On Mon, Dec 6, 2021 at 7:45 AM Alessandro Vesely <ves...@tana.it> wrote:
> Hi, > > I have a few nits about this section: > > This section describes Domain Owner actions to fully implement the > DMARC mechanism. > > Actually, the section doesn't mention DMARC checking, adhering to policies > found in DMARC records, and sending feedback reports. Hence I'd strike > "fully". It describes sender side actions. > > "fully" was left over from a previous attempt to address https://trac.ietf.org/trac/dmarc/ticket/66 It will be stricken from the next rev. > > While it is possible to secure a DMARC pass verdict based on only SPF > or DKIM, it is commonly accepted best practice to ensure that both > authentication mechanisms are in place in order to guard against > failure of just one of them. > > SPF normally fails on forwarding. Should we mention that? > I don't know if it's necessary. SPF breaking due to forwarding is a well-known condition, and I don't think it has to be documented in every text that mentions SPF. For what it's worth, the introductory text to section 5 and the text in Appendix B.3.1 both hint at forwarding causing authentication problems. > > > The Domain Owner SHOULD choose a DKIM- > Signing domain (i.e., the d= domain in the DKIM-Signature header) > that aligns with the Author Domain and configure its system to sign > using that domain, to include publishing a corresponding DKIM public > key in DNS. > > Maybe it's me, but I cannot understand "to include" in the last phrase of > that > sentence. > > This was a ham-fisted attempt on my part to mimic text from the preceding paragraph on SPF. Section 5.5.1, Publish an SPF Policy for an Aligned Domain, includes this sentence: "As a first step the Domain Owner SHOULD choose a domain to use as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail, one that aligns with the Author Domain, and then publish an SPF policy in DNS for that domain." So, in Section 5.5.2, Configure Sending System for DKIM Signing Using an Aligned Domain, I was going for similar phrasing to express the idea "Do the authentication stuff, and publish something in DNS to make it work." I'll have to think about how to word that better. > Should any overlooked systems be found in the > reports, the Domain Owner can adjust the SPF record and/or configure > DKIM signing for those systems. > > I'd s/overlooked systems/failures/, since surprises can also arise from > systems > that the Domain Owner considered to have been set up well. > How about: "Should any authentication failures for systems under the Domain Owner's control be found in the reports, the Domain Owner can adjust the SPF record and/or configure DKIM signing for those systems." -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* todd.h...@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc