On Wed, Jun 21, 2023 at 1:59 AM Alessandro Vesely <ves...@tana.it> wrote:
> After sleeping on it, I think the new tag could also specify DKIM /and/ > SPF, > besides or and one only, for domains that want that extra security. > Possible > values, for example, auth=dkim|spf (default value), auth=dkim+spf, > auth=dkim, > auth=spf. > +1 to the spirit, but I think the meaning needs to be clarified. It adds value to allow domains that have control of the SPF to indicate that receivers should expect SPF and DKIM to both be DMARC aligned in the direct mail case. This provides a very useful signal to apply DKIM Replay mitigations if that's not the case. But if the policy is also p=reject that would be essentially saying "this mail should never be forwarded". That seems unreasonable, but saying DKIM needs to be aligned for DMARC to pass, and if SPF isn't aligned then consider the message a potential DKIM replay case. Though I don't know if that indicator belongs in the auth tag, or would be better as a separate parameter.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc