It's bad idea, because "?" does not grant SPF authentication. SPF is important even if message is DKIM signed and regardless of DMARC, because it authenticates envelope address. As an example, NDR/MDN may not be generated to envelope address which is not SPF authenticated, we actually use this rule in practice to eliminate secondary spam.
GSuite, O365 and large ESPs should not allow to use unvalidated/spoofed e-mail address. If somebody allows to spoof sender, there is also a good chance it DKIM signs spoofed message, because DKIM signature is applied by the same party. 23.02.2019 21:07, Kurt Andersen (b) пишет: > With the growth of huge platforms that emit mail from the same common > set of IPs (such as GSuite, O365, or large ESPs), regular SPF > "include" ends up granting a DMARC pass to a lot more potential > authors than most organizations would necessarily choose to grant. > > Instead of using the standard "(+)include:" approach, if domain owners > used "?include:" as their mechanism, then that would prevent the SPF > result from granting a DMARC PASS result when traffic is coming from > one of these massively included platforms. It would essentially force > the DMARC result to be driven only by the DKIM evaluation. > > Thoughts? > > --Kurt Andersen > > (I'm copying the spfbis list too because there may be folks lurking > there who are not on the DMARC list) > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
