On October 25, 2023 1:37:55 PM UTC, John Levine <jo...@taugh.com> wrote:
>It appears that Scott Kitterman <skl...@kitterman.com> said:
>>>* Is there consensus on moving ahead with the idea of a way to indicate
>>>which authentication method(s) the Domain Owner wants Receivers to use? If
>>>so, it doesn't seem to be in the document yet.
>>
>>I haven't seen any valid case for it yet. It adds complexity to little or no
>>benefit.
>
>Normally I am in favor of keeping stuff simple, but I think in this case the
>argument for "DKIM only" is quite strong. People whose opinion I trust tell
>me that so many SPF records include so many large clouds that in practice
>an SPF pass no longer tells you anything useful.
>
>There's the counterargument "so don't publish SPF" but it's on so many
>checklists
>that even though that would be a fine idea, it's not practical.
Diving into the SPF angle, if someone has a 'legitimate' mail source that also
sends spoofed mail for them, they can prefix the relevant mechanism with '?' so
it produces a neutral rather than a pass result. DMARC will ignore it then.
Still solvable in SPF with no protocol change.
These sources are effectively open relays (not literally, but practically).
This isn't a problem that should be solved by a protocol change in DMARC.
Scott K
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
