On Mar 31, 2024, at 12:45 PM, Seth Blank <seth=40valimail....@dmarc.ietf.org> wrote:
It appears that Mark Alley <mark.al...@tekmarc.com> said:
>> People who publish -all know what they do.
>
>I posit that there is a non-insignificant amount of domain owners that
>don't know what the consequences of -all are other than that they've
>been instructed to use "-all" by a guide online, ...
I'm with you. I have had too many arguments with people whose SPF records
end with -all and insist it is everyone's fault but theirs that their mail
doesn't get delivered.
The special case of a record only containing -all, meaning they send no
mail whatsoever, is different and I don't think it's contentious.
But I still am reluctant to give people a lot of advice about how to
sent up their SPF records. This is dmarc-bis, not spf-bis.
I concur, and do not want to accidentally make normative updates to SPF.
SPF hard fails in a DMARC context is a constant point of confusion and bad operational practice. I do think the spec should cover it in a concise and mostly informational way.
My proposed text was:
---- Some Mail Receiver architectures implement SPF in advance of any DMARC operations. This means that an SPF hard fail ("-") prefix on a sender's SPF mechanism, such as "-all", could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place, and DKIM has a chance to validate the message instead of SPF. Operators choosing to use "-all" to terminate SPF records should be aware of this. Since DMARC only relies on an SPF pass, all failures are treated equally. Therefore, it is considered best practice when using SPF in a DMARC context for domains that send email to end records with a soft fail ("~" / "~all").
---
Could this work with simply the removal of the last sentence covering best practice?
R's,
John
John’s treatment of this topic is as clear and concise as I’ve seen. Excellent. |
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
