> DMARC requires using SPF or DKIM or SPF and DKIM. If neither method is > used, DMARC can report the situation, but it won't prevent receipt (m'I > correct?).
You are not correct; DMARC is designed to handle this situation, among others. I'll oversimplify here, because you really do need to read and understand the DMARC spec: A receiver that implements DMARC will look at the domain name in the message's "From" header field and will retrieve the DMARC policy record from that domain. If the record says, for example, "p=reject", and there is no SPF or DKIM authentication that matches that domain name, that means that the receiver is being asked *not* to deliver the message, but instead to reject it (whether the receiver does so or not depends upon their own policy). Now, of course, a sender that uses neither SPF nor DKIM on its legitimate mail would be foolish to use a "p=reject" DMARC policy. But if a spammer pretends to be them and tries to sneak by, well, as I said, that's exactly what DMARC is intended to deal with. Barry _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
