On Mon, Apr 9, 2018 at 4:55 PM Leo Gaspard <mailop@leo.gaspard.ninja> wrote:
> On 04/10/2018 01:04 AM, Brandon Long wrote: > > We've also seen various banks and other large companies who seem to > > specifically only > > use SPF with DMARC, as a way of disallowing forwarding, I guess. > > > > With ARC, you can actually "pass" the SPF pass through the forwarder. > > > > Not that there's anywhere near wide enough acceptance of ARC to make > > that your default. > > Hmm, I seem to remember even Google (who IIRC pushed for ARC, but you > know better than me) doesn't open ARC to third-party forwarders? Also, > ARC requires a relationship of trust between the forwarder and the > forwarded-to, if I remember correctly? So that couldn't reasonably work > for us, as we redirect to a few thousands different domains, so > something that requires explicit agreement with each forwarded-party > would likely never work. > Google does not yet trust third party ARC signatures, yes. We're open to manually adding some as they become available, but overall, it's a chicken and egg thing so far, there aren't enough of them yet for us to create a mechanism to automatically build trust. Anyways, this just saying what I said, it's not widely deployed enough yet to be viable. > > Rewriting or rejecting. I tend to favor rewriting, but arguments can be > > made both ways. Assuming the > > forwarding service is something set up by the receiver, than they almost > > certainly would prefer to > > get the mail. > > > > As for whether DMARC should have allowed SPF, there were several policy > > proposals based > > on DKIM directly that failed. DMARC added three things to those, From > > header alignment, reportting > > and SPF. Which of those made it more successful than the previous > > attempts, or was it just the parties > > involved in creating it, the timing, the need getting big enough... who > > knows. > > Well, reporting and From header alignment make a lot of sense, I just > don't get why SPF. The aim of DMARC is to ensure a message originated > where it originated from, so what's the point in SPF when DKIM's > available? The only reason I could think of would be protection against > replay attacks, but that's taken care of by Message-Id and > de-duplication filters. > > Well, anyway, that's wishful thinking on my part, unless there's a DMARC > v2 that disallows SPF-only and some major email provider drops support > for DMARC v1 in favor of v2 only there won't be any change, and that's > not really likely to happen any time soon, so… My understanding is because SPF is easy and forwarding is relatively rare. Last I looked, SPF validation was still >10% more than DKIM validation, for example. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
