Organisations using DKIM-only (also SFP-only) with an enforcing DMARC policy are more common than you may think. While some configurations are perhaps in error, many I have encountered are deliberate decisions based on specific use cases.
For example, I have a finance house that uses DKIM-only auth with p=reject on their main domain. When deploying DMARC they risked it and decided that giving a third-party control of their SPF (via an include) was not an option. It’s a valid reason whether one personally agrees with it or not. There are tons of other reasons why organisations make similar decisions. Single auth is actively used in the wild. Ken. From: dmarc <dmarc-boun...@ietf.org> On Behalf Of Douglas Foster Sent: Monday 27 December 2021 13:51 To: IETF DMARC WG <dmarc@ietf.org> Subject: [dmarc-ietf] Section 5 - DKIM-only authentication These two sections assume that some domain owners will want DMARC authentication to be based on DKIM only. 5 Policy A Domain Owner can also choose to not have some underlying authentication technologies apply to DMARC evaluation of its domain(s). In this case, the Domain Owner simply declines to advertise participation in those schemes. For example, if the results of path authorization checks ought not be considered as part of the overall DMARC result for a given Author Domain, then the Domain Owner does not publish an SPF policy record that can produce an SPF pass result. 5.7.2. Determine Handling Policy Heuristics applied in the absence of use by a Domain Owner of either SPF or DKIM (e.g., [Best-Guess-SPF]) SHOULD NOT be used, as it may be the case that the Domain Owner wishes a Message Receiver not to consider the results of that underlying authentication protocol at all. We agreed to drop the reference to Best-Guess-SPF, but we have not addressed the underlying requirement. Do we actually have domain owners who do not want SPF included in the DMARC evaluation process? If so, why? I am guessing that this request could only originate from a domain owner with a valid but overly inclusive SPF record, probably because of include clauses. The suggested strategy of no SPF record, or the equivalent "?ALL", or not acceptable. These approaches only make a weak SPF policy even weaker. To allow an overly-broad SPF policy to be ignored for DMARC purposes, we should provide an explicit policy flag for this purpose. But each new option adds complexity. Is this option actually valuable to somebody?
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
