Hi,
for those of you who don't subscribe to dm...@ietf.org, I resume this proposal,
which was aired there last week.
The idea is to let a domain specify which mechanisms to consider when
validating DMARC alignment. The default would be auth=dkim/spf, meaning that
either an aligned signature or an aligned SPF address would validate a message,
as is now.
Setting auth=dkim only would change it to discard SPF results. It could be the
choice of domains who are forced to include an over-bloated SPF record, which
is needed to deliver to some non-DMARC receivers, but allows impersonations.
Choosing auth=dkim+spf would require both DKIM /and/ SPF to validate. That
would exclude DKIM replay from unauthorized sources. Would it work? The
effect could be compared to that of receivers who reject spf-all before DATA,
hence before evaluating DKIM, and then would reject on failing or non-aligned
DKIM. The absence of softfail (~all) for DMARC would make the combined method
even more severe, to the point that it's been called a footgun.
Discussions about solutions that only cover DKIM replay are now declared to be
out of scope for DMARC. In fact, messages that would only be blocked by
auth=dkim+spf are either messages that pass DKIM but fail SPF, or messages that
pass SPF but fail DKIM. Since the latter case, excluding misconfigurations,
looks unlikely, this settings serves only DKIM replay. So I turn the topic to
this WG, in case someone thinks it's worth mentioning it among the possible,
yet untried solutions.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
