These two sections assume that some domain owners will want DMARC authentication to be based on DKIM only.
5 Policy A Domain Owner can also choose to not have some underlying authentication technologies apply to DMARC evaluation of its domain(s). In this case, the Domain Owner simply declines to advertise participation in those schemes. For example, if the results of path authorization checks ought not be considered as part of the overall DMARC result for a given Author Domain, then the Domain Owner does not publish an SPF policy record that can produce an SPF pass result. 5.7.2. Determine Handling Policy Heuristics applied in the absence of use by a Domain Owner of either SPF or DKIM (e.g., [Best-Guess-SPF]) SHOULD NOT be used, as it may be the case that the Domain Owner wishes a Message Receiver not to consider the results of that underlying authentication protocol at all. We agreed to drop the reference to Best-Guess-SPF, but we have not addressed the underlying requirement. Do we actually have domain owners who do not want SPF included in the DMARC evaluation process? If so, why? I am guessing that this request could only originate from a domain owner with a valid but overly inclusive SPF record, probably because of include clauses. The suggested strategy of no SPF record, or the equivalent "?ALL", or not acceptable. These approaches only make a weak SPF policy even weaker. To allow an overly-broad SPF policy to be ignored for DMARC purposes, we should provide an explicit policy flag for this purpose. But each new option adds complexity. Is this option actually valuable to somebody?
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc