Currently, domain owners can disable SPF by removing their SPF policy, which can run into the problems that you raise, with evaluators that only understand SPF. But providing an authentication selector in the DMARC policy would remedy that risk. Evaluators who understand DMARC would use the new DMARC policy clauses to ignore SPF, but the domain owner could still publish an SPF policy as a fallback authentication mechanism for those evaluators who are rudimentary.
Fixing SPF: SPF purports to tell two things: - which server organizations are allowed to send on my behalf, and - which servers within those organizations have that authorization The intra-organization filter provides more granularity, but creates all of the SPF complexity. I suggest that intra-organization filtering is the responsibility of the server organization, not the evaluator. A simpler rule would be to specify the server domains that are allowed to send on my behalf. A message is authenticated for SPF when the server domain (HELO or REVDNS) is in the authorized domain list and the server host name is forward-confirmed to the Source IP. Nested includes would not be needed, and policies would not be excessively complex. DF On Tue, Jun 20, 2023 at 5:12 AM Tobias Herkula <tobias.herk...@1und1.de> wrote: > Sadly they can’t, there are Mailbox Providers that expect SPF Records, so > to maintain deliverability to those, you have to keep SPF records in place > and can’t switch to an DKIM only DMARC. > > > > / Tobias > > > > *From:* dmarc <dmarc-boun...@ietf.org> *On Behalf Of * Murray S. Kucherawy > *Sent:* Sunday, June 18, 2023 2:42 AM > *To:* Ken Simpson <ksimp...@mailchannels.com> > *Cc:* Douglas Foster <dougfoster.emailstanda...@gmail.com>; Jan Dušátko > <jan=40dusatko....@dmarc.ietf.org>; dmarc@ietf.org > *Subject:* Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal > > > > On Sat, Jun 17, 2023 at 2:40 PM Ken Simpson <ksimp...@mailchannels.com> > wrote: > > FWIW, I'd like to chuck my hat in the ring on the side of removing SPF > from the next iteration of DMARC. As the operator of an email delivery > service with tens of millions of primarily uncontrolled senders on web > hosting servers, it would be *great* if domain owners could assert via > their DMARC record that receivers should only trust DKIM-signed email. > > > > Can these senders not accomplish the same thing by removing the SPF record > altogether? > > > > -MSK, participating >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
