On Sat 28/Oct/2023 17:28:50 +0200 Scott Kitterman wrote:
We need to add a subsection in Security Consideration, discussing an
example of an include mechanism with a neutral qualifier and its effect on
DMARC outcome; that is, how that avoids spurious authentications.
I disagree. It's already addressed in RFC 7208 and we have:
11.1. Authentication Methods
Security considerations from the authentication methods used by DMARC
are incorporated here by reference.
It's already covered.
I thought some more about this and maybe we should put something in about
this.
Thank you for your intellectual honesty.
Maybe something like:
Domains which publish SPF records that include mechanisms which relate to mail
services which do not protect against cross-user forgery (RFC 7208, Section
11.4) are advised to do so only with the '?' qualifier to mitigate the risk
that such spoofed messages will receive a DMARC pass result.
That's a good start. I think we should add an example showing, say:
"v=spf1 ?include:spf.protection.extra-large-domain.example -all"
It seems to me that people have the false persuasion that qualifiers can only
be used in the all mechanism.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc