On Fri, Feb 11, 2022 at 3:14 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> I know that we took out the reference to default policy at my request, and > I think it was in section 7.1. But subsequent discussion helped me to > understand objectives that were not clear to me in the previous text. I > think we need to re-insert something specific about domain owners that want > DKIM-only authentication. Proposed language: > > “Some domain owners want DMARC authentication to use DKIM signatures > only. This requires ensuring an SPF result other than PASS. An SPF > result of FAIL or SOFTFAIL is likely to produce unwanted rejects by > non-DMARC evaluators. An SPF result of NONE may be ineffective if > an evaluator responds to NONE by applying a locally-defined default SPF > policy that produces an unintended SPF PASS. Domain owners who desired > DKIM-only authentication are RECOMMENDED to publish a policy of “?ALL”, > which ensures an SPF result of NEUTRAL, neither PASS nor FAIL. > Similarly, DMARC evaluators SHOULD treat SPF NONE as equivalent to NEUTRAL > when the RFC5322.From domain has an applicable DMARC policy record.” > > > Doug Foster > > -1 on the proposed language. A Sending domain may choose not to publish an > SPF record. That is their perogative. The only appropriate warning is that > if a message passes through a 3rd party where the DKIM signature might be > broken, AND a DMARC policy other than NONE is published, the message may be > quarantined or rejected depending on the published policy. > Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc