On Mon 06/Dec/2021 14:29:02 +0100 Scott Kitterman wrote:
On December 6, 2021 1:04:44 PM UTC, Todd Herr <todd.h...@valimail.com> wrote:
On Sat, Dec 4, 2021 at 5:35 PM Douglas Foster
<dougfoster.emailstanda...@gmail.com> wrote:
I have multiple objections to this paragraph in section 5.7.2
"Heuristics applied in the absence of use by a Domain Owner of either SPF
or DKIM (e.g., [Best-Guess-SPF
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-04.html#Best-Guess-SPF>
]) SHOULD NOT be used, as it may be the case that the Domain Owner wishes
a Message Receiver not to consider the results of that underlying
authentication protocol at all."
[snip]
I think this text was inserted because of an open ticket when discussion
was going nowhere and a new draft was created. Perhaps the originator of
that ticket can elaborate on his thinking.
To be clear, the text at issue is present in RFC 7489, Section 6.6.2.
That doesn't make it immutable, of course...
Thanks for the clarification. I'd forgotten that was there. I definitely
think it should be removed, regardless of the origin.
I assume you said one can locally evaluate Best-Guess-SPF, but should not taint
DMARC results by considering its outcome. That paragraph should then be left
there, no?
In addition to my comments about leaving SPF best guess out, I think the DKIM part is
problematic too. There really aren't any DKIM heuristics to use "in the absence of
use by a domain owner". The only DKIM related heuristics that might apply to this
section are the ones we've discussed about recovering signatures that failed due to in
transit modification. Those are a good thing, even if they aren't broadly applicable
enough to warrant standardization.
Agreed.
However, I wonder if there are heuristics for DMARC itself. Step 2 seems to
suggest to skip any SPF or DKIM verification if no policy is found. By the
same logic, it could even suggest to skip verifications if p=none and no rua/
ruf were found. Instead, IMHO, there's some value in carrying out
verifications nonetheless.
I think what better goes in this spot is a more general comment about local
policy (it doesn't seem to be discussed elsewhere). That would include
mentioning ARC as an input to local policy. I have also suggested an appendix
or possibly a separate document on things mail senders, intermediaries, and
receivers can do to improve the reliability of DMARC through indirect mail
flows. This would be one place that should be referenced.
I'll provide text if people like the concept.
IMHO that'd be interesting.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
