This section implies that publishing SPF -ALL is a risky move, which is made worse by DMARC. SPF -ALL is a only risk when (a) the message is forwarded without MAILFROM rewrite and (b) the evaluator does not implement DMARC.
Rather than telling senders to weaken their SPF policies, we need to make it clear to evaluators that they should implement DMARC correctly. Proposed language for the second paragraph: “By design, DMARC allows a verified and aligned DKIM signature to override an unfavorable SPF result, including FAIL. However, the full message, including the DATA section, must be accepted before DMARC participation can be determined and DKIM signatures can be evaluated. Consequently, DMARC evaluators SHOULD NOT use SPF results to reject a message prior to receipt of the entire DATA section.” When this was previously proposed, it was noted that some DMARC evaluators consider the combination of SPF FAIL with a policy containing only "-ALL" to be a special case which justifies early reject. I think it is obvious that if an evaluator does not wish to allow a DKIM override for that situation, then the SHOULD NOT can be ignored.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
