On June 8, 2023 8:35:24 PM UTC, Barry Leiba <barryle...@computer.org> wrote:
>> A sender using both SPF and DMARC will see a slight
>> boost in validation rates due to increased resiliency when there are
>> transient DNS failures and other problems.
>
>Do you mean "both SPF and DKIM", perhaps?
>
>I don't see how that makes sense: if there's a transient DNS failure,
>then neither the SPF nor the DKIM (nor the DMARC) records can be
>retrieved.
>
>I also don't see how using an unreliable mechanism is a benefit. It
>demonstrably hurts validation rates related to relayed/forwarded mail,
>and can cause *false* validations in cases of overly-broad SPF
>configurations (as when a large provider that also hosts many spammers
>is used).
I'm pretty sure he meant SPF and DKIM. His statement is consistent with my
observations.
There are DKIM verification failures for reasons unrelated to DNS failures. As
an example, I recently fixed a DKIM validation bug in the library I maintain
which was causing a small fraction of valid signatures to fail verification
since at least 2011. SPF + DKIM reduces DMARC failures.
It's true that SPF is not particularly helpful for indirect mail flows, but I
read your message as claiming using SPF with DKIM causes DMARC verification to
be worse for indirect mail flows than when using DKIM alone. Is that right?
If so, please expand on that because I don't understand it.
Scott K
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
