On Wed, Dec 24, 2014 at 2:13 AM, Franck Martin <[email protected]> wrote:
> I think we should recommend something here, not sure if it needs to be > normative. We do say to ignore the SPF policy when p!=none, though I think > we can be normative on the lower layers. I see 2 options here: > 1)tempfail the message is either SPF and DKIM have a tempfail status > 2)tempfail the message if both SPF and DKIM have a tempfail status > > 1) is my preferred and is aggressive, therefore not sure people will like > it. I'll settle for 2) > > As explained in another post, I'm worried I can run a DNS attack (or just > a self inflicted DNS bad config) and get DMARC to reject emails it should > have accepted (has the DMARC policy in cache, but cannot assert SPF and > DKIM). > > I think it's reasonably clear from 5.6.3 that the "fail open" choice is possibly dangerous, as is anything that fails open. But more importantly, I'm also worried about making a normative decision now about something we deliberately haven't specified up to this point for whatever reason. We are supposed to be documenting current practice with this effort, not establishing something new. Might this something best left for the standards track WG effort? -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
