Thanks for the follow-up, Scott. > It's not a case of I've seen a few failures, it's consistent (all I can say > for certain is that it was as I no longer have access to this data). It was > consistent across time and providers. At scale, DKIM would always have a > fraction of a percent failure rate, while SPF would not (for direct > connections ... > The leads to a situation where the DMARC pass rate for direct connections > would vary depending on if SPF was included: > > DKIM only: ~99.5% > DKIM + SPF: ~100% > SPF only: ~100%
That's interesting and disturbing if it remains consistent. Theoretically, DKIM should *never* fail when SPF succeeds, so if that's happening it means there is: 1. bad signing software, 2. bad verifying software, 3. misconfiguration somewhere, ...or a combination of those three. I would *really* like to see a current study of this, because I think it's critical for the future viability of DMARC, whether or not we accept the proposal to remove SPF. If DKIM is not working reliably when it should, we absolutely need to understand why and work on getting it fixed if we can. If there used to be problems that do not currently exist, we need to understand that as well, so we can make current arguments with currently accurate data. Either way, we need to know what's really happening. Are there working group participants who can do this sort of evaluation, not just giving numbers but also analyzing why DKIM failures happened when they should not have? Thanks again, Scott, Barry _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
