Applying SPF to DMARC could become out of scope, if we choose to remove SPF
from DMARC and make it dependent only on DKIM. Until then, we need to
have a shared understanding of how SPF is applied. This question asks
whether that shared understanding exists.
SPF involves two tests, which can be used together. This WG can insist
that for DMARC purposes, only one can be used:
"When the sender is not null, DMARC-evaluation only considers the SPF
evaluation of the MAILFROM Address. SPF evaluation of HELO MUST NOT be
considered for DMARC purposes."
This wording seems implied by the current language, and by those who want
to leave it untouched. Implication is different from specification, so our
document should make this explicit. Unfortunately, an explicit MUST NOT
requirement is hard to justify. When two domains are involved, and both
domains have published policy information, what justification exists for
ignoring some of the available security-related information?
If we back away from MUST NOT, then we have to consider that some
recipients MAY evaluate SPF HELO and SPF MAILFROM together, just as the SPF
RFC expected them to be used, and as outlined in one of my examples. If
some recipients MAY evaluate HELO, then senders SHOULD take care to ensure
that HELO will generate a PASS. Our language becomes something like this:
"When the sender is not null, DMARC-evaluation always uses the SPF
evaluation of the MAILFROM Address. Some recipients may evaluate SPF HELO
as well. To maximize recipient trust, senders SHOULD publish an SPF
policy which ensures that both MAILFROM and HELO will produce SPF PASS
results."
DF
On Wed, Feb 10, 2021 at 6:29 PM Dave Crocker <[email protected]> wrote:
> On 2/10/2021 3:24 PM, Douglas Foster wrote:
> > Huh? Are you asserting that SPF MAILFROM and SPF HELO are
> > interchangeable? They are not, but they can work together.
>
>
> Perhaps I misread, but I thought I saw that this really is out of scope
> for this working group.
>
>
> d/
>
> --
> Dave Crocker
> [email protected]
> 408.329.0791
>
> Volunteer, Silicon Valley Chapter
> American Red Cross
> [email protected]
>
>
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
