On Wednesday, October 25, 2023 11:01:27 AM EDT Richard Clayton wrote: > In message <cbb1f6bd-c6a8-4ce6-bec9-2c84c9d0b...@kitterman.com>, Scott > Kitterman <skl...@kitterman.com> writes > > >>> My reading of the discussion is: > >>> > >>> 1. We did not have rough consensus to eliminate the use of SPF in DMARC. > > sadly so, it would have been the right thing to do > > >>> 2. We did not have rough consensus to complicate DMARC by having the > > > >publishing domain specify authentication methods. > > hmm... it does seem to be the best way of addressing #1 > > >The purported use case is "my SPF is so awful you can't trust it and at the > >same time, so critical I still have to publish the record". I don't think > >that's a real thing. > > there appear to be receivers who use SPF as a filtering mechanism to > reject patently obvious forgeries -- and if SPF passes they then apply > other mechanisms because they don't want to bother with DKIM (I've seen > posts to this effect -- their customers, their funeral) > > not having an SPF record at all would mean that these receivers would > not be able to do that filtering (and the lack of SPF might adversely > affect various heuristics for determining how email should be treated) > > viz: there is an edge case for senders to continue to publish SPF even > when it almost useless (it stops people forging mail from a different > cloud, but not from the one that they use) > > if that is so, then senders need to be able to tell all the receivers > who do believe in the value of DKIM (and there are a lot of those) "take > no notice of my SPF record" ... so DMARCbis should support that > > Note that if BIMI is involved the SPF will be ignored anyway (and the > documentation might even say that RSN) > > >If your SPF is unreliable, fix it or delete it. Not a DMARC problem. > > senders using clouds to spin up and spin down resources depending on > demand will struggle to "fix it" ... that's why it was so widely drawn > in the first place. Senders using shared IPs at ESPs are also not in a > position to "fix it" -- they can only hope that the ESP correctly > polices what is being sent by each particular customer.
Modifying their SPF record to include '?' for the suspect mechanisms is the exact technical solution to this problem. It has no impact on rejecting messages that fail SPF and keeps such mail from passing DMARC. The solution to bad SPF deployments is fixing them. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
