On Thu 22/Jun/2023 19:34:43 +0200 Jan Dušátko wrote:
Dne 21. 6. 2023 v 10:59 Alessandro Vesely napsal(a):
On Tue 20/Jun/2023 09:29:13 +0200 Wei Chuang wrote:
Our proposal would be for DMARCbis to maintain the default for SPF and DKIM
support, and to support senders that want to drop SPF as one of their DMARC
authentication methods to avoid the SPF upgrade vulnerability.
After sleeping on it, I think the new tag could also specify DKIM /and/ SPF,
besides or and one only, for domains that want that extra security. Possible
values, for example, auth=dkim|spf (default value), auth=dkim+spf, auth=dkim,
auth=spf.
Possibility of choosing policy based on evaluation of the SPF, SPF and DKIM, SPF
or DKIM event. DKIM itself in DMARC2 will be really helpful. In case of DKIM
and SPF need to pass, seems to be little bit different results than previous.
This will definitely satisfy me for thousands of domains.
Requiring both DKIM and SPF to be aligned and verified is very harsh.
Forwarding would be disallowed, except for specific agreements. It wouldn't be
handy for general purpose mail domains, but could beat replay in some cases.
Albeit reckless users would have the possibility to shoot their own feet, DMARC
aggregate reports should provide a good forecast of the results.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
