Dne 21. 6. 2023 v 10:59 Alessandro Vesely napsal(a):
On Tue 20/Jun/2023 09:29:13 +0200 Wei Chuang wrote:
Our proposal would be for DMARCbis to maintain the default for SPF
and DKIM support, and to support senders that want to drop SPF as one
of their DMARC authentication methods to avoid the SPF upgrade
vulnerability. We could have a DMARC policy tag for authentication
e.g. "auth=" that describes the permitted authentication methods the
sender supports and receiver MUST use for validation. DKIM or SPF
are represented as tags "dkim" and "spf", and if multiple tags are
present then they are comma separated and any one passing is
considered passing authentication. Also at least one authentication
method MUST be present. Other authentication methods could be added
in the future as it is our hope that there will be some other
authentication method to improve upon and someday replace SPF.
overall. If "auth=" is missing, then DMARC falls back to supporting
SPF and DKIM.
+1, clarifying underlying mechanisms improves DMARC usability.
Version bump only forces domains that wish to use the new tag to
create a new v=DMARC2 record. Old evaluators will read the v=DMARC1
record, whereas they can just ignore the new tag if we stick to the
same version.
After sleeping on it, I think the new tag could also specify DKIM
/and/ SPF, besides or and one only, for domains that want that extra
security. Possible values, for example, auth=dkim|spf (default
value), auth=dkim+spf, auth=dkim, auth=spf.
Best
Ale
Ale,
If I understand DMARC well, right now works in mentioned way. The fo=
are for reporting only and I have seen many implementation, which simply
ignore it, they used the same condition as DMARC have. To be honest, I
does not sure if my understanding are correct, please do not hesitate
and correct me if I'm wrong.
if ((SPF=pass) and (SPF aligned with "From" domain)) or ((DKIM=pass) and
(DKIM aligned with "From" domain)) then DMARC=pass
+---++---+-+--+
| Alignment | Result | Alignment | Result | Result |
| of SPF | of SPF | of DKIM | of DKIM | of DMARC |
+---++---+-+--+
| Failed | Failed | Failed | Failed | Failed |
| Failed | Failed | Failed | Pass | Failed |
| Failed | Failed | Pass | Failed | Failed |
| Failed | Failed | Pass | Pass | Pass |
| Failed | Pass | Failed | Failed | Failed |
| Failed | Pass | Failed | Pass | Failed |
| Failed | Pass | Pass | Failed | Failed |
| Failed | Pass | Pass | Pass | Pass |
| Pass | Failed | Failed | Failed | Failed |
| Pass | Failed | Failed | Pass | Failed |
| Pass | Failed | Pass | Failed | Failed |
| Pass | Failed | Pass | Pass | Pass |
| Pass | Pass | Failed | Failed | Pass |
| Pass | Pass | Failed | Pass | Pass |
| Pass | Pass | Pass | Failed | Pass |
| Pass | Pass | Pass | Pass | Pass |
+---++---+-+--+
Possibility of chosing policy based on evaluation of the SPF, SPF and
DKIM, SPF or DKIM event. DKIM itself in DMARC2 will be really helpful.
In case of DKIM and SPF need to pass, seems to be little bit different
results than previous. This will definitely satisfy me for thousands of
domains.
if ((SPF=pass) and (SPF aligned with "From" domain)) and ((DKIM=pass)
and (DKIM aligned with "From" domain)) then DMARC=pass
+---++---+-+--+
| Alignment | Result | Alignment | Result | Result |
| of SPF | of SPF | of DKIM | of DKIM | of DMARC |
+---++---+-+--+
| Failed | Failed | Failed | Failed | Failed |
| Failed | Failed | Failed | Pass | Failed |
| Failed | Failed | Pass | Failed | Failed |
| Failed | Failed | Pass | Pass | Failed |
| Failed | Pass | Failed | Failed | Failed |
| Failed | Pass | Failed | Pass | Failed |
| Failed | Pass | Pass | Failed | Failed |
| Failed | Pass | Pass | Pass | Failed |
| Pass | Failed | Failed | Failed | Failed |
| Pass | Failed | Failed | Pass | Failed |
| Pass | Failed | Pass | Failed | Failed |
| Pass | Failed | Pass | Pass | Failed |
| Pass | Pass | Failed | Failed | Failed |
| Pass | Pass | Failed | Pass | Failed |
| Pass | Pass | Pass | Failed | Failed |
| Pass | Pass | Pass | Pass | Pass |
+---++---+-+--+
Regards
Jan
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc