No. “?all” in an SPF record is a negative signal to many filters and a quick way to the spam folder. It also exposes the domain to abuse unconnected with DMARC.
If a sender intentionally relies on DKIM-only alignment, then that’s their decision. Making any recommendations as to what their SPF record should contain, other than being valid, is out of scope. Such recommendations are also prone to make operational assumptions. For example, assuming that the author domain is never going to be used in any other context, such as a 5321.From domain in a different message with a non-DMARC protected 5322.From domain. A specification tries to avoid such assumptions. We also have ARC for cases where an intermediate MTA rewrites the 5321.From. If we really need to spell out the potential risks of DKIM-only (or indeed SPF-only) alignment, then maybe a BCP document is a better place. It’s not like this is a widespread problem currently. Ken. From: dmarc <[email protected]> On Behalf Of Douglas Foster Sent: Friday 11 February 2022 08:14 To: IETF DMARC WG <[email protected]> Subject: [dmarc-ietf] (7.1?) DKIM-only authentication I know that we took out the reference to default policy at my request, and I think it was in section 7.1. But subsequent discussion helped me to understand objectives that were not clear to me in the previous text. I think we need to re-insert something specific about domain owners that want DKIM-only authentication. Proposed language: “Some domain owners want DMARC authentication to use DKIM signatures only. This requires ensuring an SPF result other than PASS. An SPF result of FAIL or SOFTFAIL is likely to produce unwanted rejects by non-DMARC evaluators. An SPF result of NONE may be ineffective if an evaluator responds to NONE by applying a locally-defined default SPF policy that produces an unintended SPF PASS. Domain owners who desired DKIM-only authentication are RECOMMENDED to publish a policy of “?ALL”, which ensures an SPF result of NEUTRAL, neither PASS nor FAIL. Similarly, DMARC evaluators SHOULD treat SPF NONE as equivalent to NEUTRAL when the RFC5322.From domain has an applicable DMARC policy record.” Doug Foster
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
