On Sat 23/Feb/2019 19:07:31 +0100 Kurt Andersen (b) wrote: > With the growth of huge platforms that emit mail from the same common set of > IPs (such as GSuite, O365, or large ESPs), regular SPF "include" ends up > granting a DMARC pass to a lot more potential authors than most organizations > would necessarily choose to grant.
Hopefully, large organizations have a policy which enables them to drop non-compliant users contracts. The admin attitude. Alternatively, they could expunge offending IP addresses from their SPF records. The whitelist attitude. The rest is reputation. > Instead of using the standard "(+)include:" approach, if domain owners used > "?include:" as their mechanism, then that would prevent the SPF result from > granting a DMARC PASS result when traffic is coming from one of these > massively > included platforms. It would essentially force the DMARC result to be driven > only by the DKIM evaluation. -1. If DKIM were flawless, maybe... Authentication of email messages forwarded through various providers is already DKIM-only driven, but that doesn't seem to improve reliability, does it? Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
