Now with Mike's tweak: Add this to 11.1 Authentication Methods
Both of the email authentication methods that underlie DMARC provide some assurance that an email was transmitted by an MTA which is authorized to do so. SPF policies map domain names to sets of authorized MTAs [ref to RFC 7208, section 11.4]. Verified DKIM signatures indicate that an email was transmitted by an MTA with access to a private key that matches the published DKIM key record.
Whenever mail is sent, there is a risk that an overly permissive source may send mail that will receive a DMARC pass result that was not, in fact, intended by the Domain Owner. These results may lead to issues when systems interpret DMARC pass results to indicate a message is in some way authentic. They also allow such unauthorized senders to evade the Domain Owner's intended message handling for authentication failures.
To avoid this risk one must ensure that no unauthorized source can add DKIM signatures to the domain's mail or transmit mail which will evaluate as SPF pass. If, nonetheless, a Domain Wwner wishes to include a permissive source in a domain's SPF record, the source can be excluded from DMARC consideration by using the '?' qualifier on the SPF record mechanism associated with that source.
R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
