On Wednesday, October 25, 2023 10:46:09 AM EDT Emanuel Schorsch wrote: > > >There's the counterargument "so don't publish SPF" but it's on so many > > > > checklists > > > > >that even though that would be a fine idea, it's not practical. > > > > Diving into the SPF angle, if someone has a 'legitimate' mail source that > > also sends spoofed mail for them, they can prefix the relevant mechanism > > with '?' so it produces a neutral rather than a pass result. DMARC will > > ignore it then. Still solvable in SPF with no protocol change. > > > > These sources are effectively open relays (not literally, but > > practically). This isn't a problem that should be solved by a protocol > > change in DMARC. > > I too had thought there was consensus on this issue. I think in this case > it is appropriate for a protocol change. Senders today do not currently > have a way to express "ignore my SPF when evaluating DMARC". Adding that to > the protocol is necessary to give them that choice. We have seen hundreds > of senders affected by this issue and it is not acceptable for them to turn > off SPF because there are a variety of receivers out there with varying > requirements and turning off SPF entirely might have a negative impact. It > is more than acceptable for them to say: ignore SPF from the perspective of > DMARC.
And then where's DMARC when the demand comes up to ignore DKIM because of the impacts of DKIM replay attacks? To me this is similar to the multiple suggestions over the years to add an "I really mean it" flag to SPF for records that end in -all and it's an equally 'good' idea. This is entirely fixable within SPF as the message you are replying to describes. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
