Sorry not to get to this sooner. This draft has problems. It's not ready to ship.
Sec 3.1 says a report MUST include explicit auth results for both DKIM and SPF. Well, no. I don't check SPF, so if people are only going to accept DKIM failure reports if they also say something about SPF, they're not going to get any reports from me. I expect people who check SPF but not DKIM feel the same way, particularly for the large fraction of mail that has no DKIM signatures to check. Suggest just removing this clause, and let people report what they're reporting. Original-Envelope-ID and Original-Mail-From: same issue, they're not relevant to DKIM, and by the time I check DKIM, it's often after SMTP is over and the envelope isn't directly available. Suggest it say they SHOULD be included if they are available. Source-IP: same problem. If you don't have the source IP, just leave it out, don't lie. (And 0.0.0.0 is totally oldthink. The value I'm not going to include is ::.) Message-ID: this is just wrong, RFC 5965 does not report it. 3.2.1: Delivery-result: what I do with my mail is none of your business. This field has to be optional. 3.3: Why just spf rather than spf-fail, spf-softfail, spf-temperror, or spf-permerror? If you're reporting an SPF problem, you presumably know what your SPF checker returned. 4: SPF-DNS. If you're going to return a snapshot of the SPF record, shouldn't you also return all the records it included? R's, John _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
