It appears that Scott Kitterman <skl...@kitterman.com> said: >>When receivers apply the "MUST NOT reject" in Section 8.6 to accept >>unauthenticated messages as quarantined messages, receivers SHOULD >>carefully review how they forward mail traffic to prevent additional >>security risk. That is, this downgrade can enable spoofed messages that >>are SPF DMARC authenticated with a fraudulent From identity despite having >>an associated strong DMARC policy of "p=reject". ...
We all realize that SPF has problems, but I really do not want to fill up the DMARC document with text that says "you can authenticate with SPF, hahaha no just kidding." The way to fix Microsoft's forwarding SPF problem is for Microsoft to put the forwarding user's bounce address on the message, not for us to tell the entire world to use kludgy workarounds. R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
