Hi,
Section 5 has a paragraph that can fit Scott's solution to SPF spoofing.
Here's a possible change:
OLD
A Domain Owner or PSO may choose not to participate in DMARC
evaluation by Mail Receivers simply by not publishing an appropriate
DNS TXT record for its domain(s). A Domain Owner can also choose not
to have some underlying authentication technologies apply to DMARC
evaluation of its domain(s). In this case, the Domain Owner simply
declines to advertise participation in those schemes. For example,
if the results of path authorization checks ought not to be
considered as part of the overall DMARC result for a given Author
Domain, then the Domain Owner does not publish an SPF policy record
that can produce an SPF pass result.
NEW
A Domain Owner or PSO may choose not to participate in DMARC
evaluation by Mail Receivers simply by not publishing an appropriate
DNS TXT record for its domain(s). A Domain Owner can also adjust how
some underlying authentication technologies apply to DMARC evaluation
of its domain(s). To do so, the Domain Owner directly operates on
its participation in those schemes. For example, if the results of
path authorization checks ought not to be considered as part of the
overall DMARC result for a given Author Domain, then the Domain Owner
does not publish an SPF policy record, or it can use the neutral
qualifier to avoid granting "pass" results to external domains (that
is, for example "v=spf1 ?include:example.com -all").
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc