Two things: > If unspecified with a policy tag "auth=", this indicates that both DKIM and SPF are supported.
I don’t like this approach. I think that the absence of auth= means what it has always meant: the sending domain is not specifying what authentication methods it is using and the receiving domain should check both SPF and DKIM. This is significantly different to the sending domain explicitly specifying that it uses DKIM in that in the latter case the receiving domain can treat the absence of a DKIM signature with suspicion. And the ABNF is needlessly complex and does not allow for extension. It’s easy to rework it in the manner of many other specifications that do similar things. Barry On Fri, Aug 4, 2023 at 12:17 PM Wei Chuang <weihaw= 40google....@dmarc.ietf.org> wrote: > At IETF-117, I restarted the proposal for a policy "auth=" tag based on > the proposal here > <https://mailarchive.ietf.org/arch/msg/dmarc/KeGbMfX91WJk_aziKsrRfI6AYkI/>. > The "auth=" policy allows for restriction of SPF in scenarios where it > might be problematic but still retains its availability in DMARC by > default. I didn't hear objections at 117, so below is some proposed > language for "auth=" for dmarc-ietf-dmarc-dmarcbis. > > -Wei > > ===== > > 1. Introduction, 3rd paragraph insert after first sentence: > > In addition, the choice of permitted authentication methods, SPF or DKIM, > method MAY be explicitly specified, potentially to restrict the supported > authentication methods. > > 4.3 Authentication Mechanisms append: > > Domain Owners and PSOs MAY explicitly specify the supported authentication > methods via the "auth=" tag. The value is a colon ':' separated list of > supported authentication methods without whitespace. The order of the list > isn't any significant, and unknown methods are ignored. An aligned passing > result for any listed method indicates a DMARC pass. An empty list > indicates no authentication method is specified and DMARC is disabled. If > unspecified with a policy tag "auth=", this indicates that both DKIM and > SPF are supported. > > 5.3 General Record Format insert: > > auth: Indicates the supported authentication methods. If more than one > method is specified, they are colon ':' separated without whitespace. The > order of the list is not significant and unknown methods are ignored. An > empty list indicates no authentication method is specified and DMARC is > disabled. > dkim: Authenticate with DKIM > spf: Authenticate with SPF > > 5.4. Formal Definition insert: > > dmarc-auth = <empty> / "dkim" / "spf" / "dkim:spf" / "spf:dkim" > > Table: > Tag Name Value Rule > auth dmarc-auth > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc