* Alessandro Vesely <ves...@tana.it>: > On Thu 15/Jun/2023 23:25:44 +0200 Tero Kivinen wrote: > > > > I rerun the statistics and yes, there is 0.84% cases where dkim > > failed, but spf returned either pass, softfail or neutral. > > Many thanks. That figure seems to be more or less in agreement with what > others here have obtained on smaller samples. However small, it may confer > to SPF the role of a stabilizer in DMARC mail flows.
The number of IP addresses in SPF-Records published by VLMPs foils the idea of "a controlled and limited number of host allowed to send on behalf of a senderdomain". Given the (internal routing) challenges you face when you try to publish a limited, dedicated IP range per tenant only, I do not see the current problem we have with SPF, when it comes to use SPF as identity anchor for email authentication, go away in the future. To me SPF destabilizes email authentication. It should not be used in future version of DMARC anymore. But why is it so many hang to SPF? My personal experience as a consultant is many domain owners prefer SPF over DKIM because SPF is easier to implement. They don't care about the one being the superior identity anchor to the other. They want to send. They want deliverability. And they want to get it done as soon as possible at the least investment. Business. Efficency. As long as I can think of generating and handling DKIM keys has been a pain. There's SHA1 and SHA256, then RSA and ED25519, then there's quite a variety of flags to publish (test mode, email usage only, ...) and even if you managed to get all of that right you are likey to fail when it comes to publish the DNS TXT record. It's overly long requires multiline quoting etc. pp. and I've seen experienced DNS operators fail repeatedly to get it right at first attempt. Many get publishing DKIM keys wrong, but that doesn't hurt them as long as SPF passes during DMARC authentication. They can send. They get deliverability. Why bother with DKIM problems? If we drop SPF in DMARCv2 SPF in all its dominance will suddenly be absent and DKIM with all its implementational problems will suddenly be fully exposed. And people will suddenly be forced to implement DKIM and suffer from all the pain I've described above. I do expect them to be not amused - to put it friendly. I suggest that we do not only drop SPF, but also come up with better ways (simplification, tools, exchange formats) to implement DKIM in order to allow for a smooth transition. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
