> > >There's the counterargument "so don't publish SPF" but it's on so many > checklists > >that even though that would be a fine idea, it's not practical. > > Diving into the SPF angle, if someone has a 'legitimate' mail source that > also sends spoofed mail for them, they can prefix the relevant mechanism > with '?' so it produces a neutral rather than a pass result. DMARC will > ignore it then. Still solvable in SPF with no protocol change. > > These sources are effectively open relays (not literally, but > practically). This isn't a problem that should be solved by a protocol > change in DMARC. >
I too had thought there was consensus on this issue. I think in this case it is appropriate for a protocol change. Senders today do not currently have a way to express "ignore my SPF when evaluating DMARC". Adding that to the protocol is necessary to give them that choice. We have seen hundreds of senders affected by this issue and it is not acceptable for them to turn off SPF because there are a variety of receivers out there with varying requirements and turning off SPF entirely might have a negative impact. It is more than acceptable for them to say: ignore SPF from the perspective of DMARC.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
