I have to agree with Seth's comments that "security teams believe an SPF hard fail is more secure". I've been on the receiving end of that discussion more than once.
Also, can we reference those two M3AAWG documents ? That seems like operational guidance. tim On Mon, Apr 1, 2024 at 8:55 AM Dotzero <dotz...@gmail.com> wrote: > > > On Mon, Apr 1, 2024 at 8:18 AM Brotman, Alex <Alex_Brotman= > 40comcast....@dmarc.ietf.org> wrote: > >> One item left out of Seth’s text is that due to MBPs who act in this >> fashion, these SPF evaluation failures will (understandably) not show up in >> DMARC reports, and the domain owner may not have visibility for these >> failures. However, the text also puts the onus on the domain owner instead >> of the MBP. The text could be altered to instead suggest that MBPs who >> deploy DMARC should not utilize the outcome of SPF in this fashion. If the >> domain owner wants to protect their domain, and has no idea if the MBP >> supports DMARC properly (presuming they also have an enforcing policy), is >> it more or less advisable to use “-all” with your SPF record? >> >> >> >> I’d be curious to see the Venn diagram of MBPs who implement SPF in this >> fashion, and also fully support DMARC. I feel like the MBPs who I’ve >> encountered deploying an SPF check in this way had not at the time >> supported DMARC. >> >> >> >> -- >> >> Alex Brotman >> >> Sr. Engineer, Anti-Abuse & Messaging Policy >> >> Comcast >> >> > I was just thinking along these lines and was going to post but you beat > me to the punch. > > +1 > > Michael Hammer > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
