-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <CAAFsWK2pezgeYKDM=4ggbcfpquk_yewpkdcfm0j3s9eod5r...@mail.gma il.com>, Wei Chuang <weihaw=40google....@dmarc.ietf.org> writes
>I don't think the SPF '?' qualifier approach works because as Richard >Clayton said earlier of RFC7208 "Sender Policy Framework (SPF) for >Authorizing Use of Domains in Email, Version 1" section 8.2 which says: > > A "neutral" result MUST be treated exactly like the "none" result; > the distinction exists only for informational purposes. Scott pointed out that I had not understood it correctly ... when you run a matching sending IP against a "?" mechanism then you get "neutral" which you are obliged to treat as "none". But you stop there. When you run a non-matching sending IP against that same "?" mechanism then you get a "fail" so you keep on going to look at all the other mechanisms (which also all fail) and eventually (in practice) reach "-all" or "~all" at the end of the record. hence you can still use SPF to filter out the non-starters, but you don't get any warm and fuzzy feeling from the pass... So the SPF publisher they can either publish "?" information or nothing at all -- and the _only_ reason for doing the former is to help with an initial filtering mechanism at sites that use SPF for that purpose. >If it happens to work, it's likely an implementation detail not >standardized across the ecosystem and may change. You're right that there's no way of knowing whether the people who are currently paying a lot of attention to SPF (and less so to DKIM) are going to make poorer decisions when what used to be an SPF pass now becomes a "none" result. Allowing DKIM-only to be specified in DMARC allows people to still publish SPF records that yield a pass (thus generating a (possibly mistaken) warm and fuzzy feeling in some quarters ...) >Moreover it will be >highly confusing to those outside of those with connection to the >knowledgeable few. That broader community depends on the literal >interpretation of the RFC. That's what still confuses me about the objections to the proposal to explicitly allow people to say "DKIM only". Yes I get that it adds a little bit to the text of the document and requires a bit more code to parse the new parameter and hence you can object on the basis of "complexity" -- but it does seem simpler to understand the stricture "ignore SPF" than grok the necessity to alter SPF records to use a complex-to-understand mechanism which may degrade some deliverability. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZT5hO92nQQHFxEViEQIM0gCfU3ZV3bEfi9kAfEFThr+30GJWqFsAoI2z xh0KGaaD5mELlRimHgVMwRDu =HmrF -----END PGP SIGNATURE----- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc