On Thu 08/Jun/2023 16:44:14 +0200 Barry Leiba wrote:
See, I don't look at it as "harmed". Rather, I think they're using "we use SPF" as a *reason* not to use DKIM, and I think that *causes* harm.
Does that mean SPF is easier to enter than DKIM? Maybe. It can be an advantage, though.
SPF is, as I see it, worse than useless, as it adds no value to domain that use DKIM -- any time DKIM fails SPF will also fail -- and actually impedes the adoption of DKIM.
I agree SPF is too much bloated by some providers, to the point that impersonation with dmarc=pass can be achieved programmatically. However, I'd rather counter this using an extra spf=no tag, than v=DMARC2. (Furthermore, I'd specify such extra tag in a separate document, not dmarcbis.)
One case I saw multiple times where DKIM fails while SPF verifies is when the message contains a line starting with "from " which some agent changes to ">from ". Some signing software eliminates such lines before signing, but that's not in the spec, so one cannot say a signer is defective if it doesn't do it.
What I find nonsensical is to eliminate SPF in order to save DNS queries, given that we replaced local PSL lookups with a series of queries. We cannot do that and pretend that SPF is too expensive.
Best Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
