We can say that as well, but I want to specifically say "don't use SPF without DKIM and expect it to work right;"
b On Thu, Apr 13, 2023 at 12:41 PM Dotzero <dotz...@gmail.com> wrote: > > > On Thu, Apr 13, 2023 at 12:19 PM Barry Leiba <barryle...@computer.org> > wrote: > >> Maybe just add a sentence to the end of the second paragraph: >> >> The use of SPF alone, without DKIM, is strongly NOT RECOMMENDED. >> >> Barry >> > > I think the opposite. Something along the lines of "Sending domains SHOULD > implement both SPF and DKIM to minimize breakage and non-delivery of mail. > > Michael Hammer > > >> >> >> On Thu, Apr 13, 2023 at 12:04 PM Todd Herr <todd.h...@valimail.com> >> wrote: >> >>> On Thu, Apr 13, 2023 at 11:21 AM Barry Leiba <barryle...@computer.org> >>> wrote: >>> >>>> > Anyone who does forwarding is damaged by DMARC because there are a >>>> lot of >>>> > people who do DMARC on the cheap with SPF only. >>>> >>>> This brings up another issue, I think: that there should also be >>>> stronger advice that using DKIM is critical to DMARC reliability, and >>>> using SPF only, without DKIM, is strongly NOT RECOMMENDED. >>>> >>>> I don't disagree. >>> >>> How do we make the following text stronger? >>> 5.5.2. >>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#section-5.5.2>Configure >>> Sending System for DKIM Signing Using an Aligned Domain >>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#name-configure-sending-system-fo> >>> >>> While it is possible to secure a DMARC pass verdict based on only one of >>> SPF or DKIM, it is commonly accepted best practice to ensure that both >>> authentication mechanisms are in place to guard against failure of just one >>> of them. >>> >>> This is particularly important because SPF will always fail in >>> situations where mail is sent to a forwarding address offered by a >>> professional society, school or other institution, where the address simply >>> relays the message to the recipient's current "real" address. Many >>> recipients use such addresses and with SPF alone and not DKIM, messages >>> sent to such users will always produce DMARC fail. >>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#section-5.5.2-2> >>> >>> The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d= >>> domain in the DKIM-Signature header) that aligns with the Author Domain. >>> >>> >>> -- >>> >>> *Todd Herr * | Technical Director, Standards and Ecosystem >>> *e:* todd.h...@valimail.com >>> *m:* 703.220.4153 >>> >>> This email and all data transmitted with it contains confidential and/or >>> proprietary information intended solely for the use of individual(s) >>> authorized to receive it. If you are not an intended and authorized >>> recipient you are hereby notified of any use, disclosure, copying or >>> distribution of the information included in this transmission is prohibited >>> and may be unlawful. Please immediately notify the sender by replying to >>> this email and then delete it from your system. >>> >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >> >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc