Douglas Foster skrev den 2024-02-29 18:48:
I am surprised at the lack of feedback about Barry's research link.
It is a devastating attack on our ability to trust SPF when shared
infrastructure is involved. As a result of that document, I have
switched camps and believe that we MUST provide a DKIM-only option for
DMARC.
The proposed workaround, of using a "?" modifier to force SPF Neutral
instead of Pass, seems to lack both awareness and implementation,
since it was not even mentioned in the research document as a
mitigation.
spf specs have desided to allow +all and unlimited numbers of ips, there
is no way to stop it unless rfc changes it
even "v=spf1 ip4:0.0.0.0/0 -all" is fully valid
for maillist is never being dmarc aligned anyway, but direct could be
aligned, if not a forwarding host does something, with or without srs
maybe rfc wise it could help to have a max ips to get spf pass ?
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
