First of all, this is not Best-Guess SPF, because it is not a guess. DMARC is all about authentication - it says that a message has, or has not, been judged to be free of impersonation risk. What it does not say is whether a message is wanted, because "wanted" involves much more than authentication.
When the message has the same From domain as the SPF PASS or DKIM VERIFY domain, it demonstrates that it has common administrative control. Relaxed alignment is a gimmick to include more messages in the DMARC PASS category, by inferring common administrative control based on a guess of the organization domain and a guess about administrative control within the domain. If we wanted to define an arbitrary alignment algorithm to satisfy intellectual curiosity, we could see which identifiers have the same 3rd and 5th letters, or which identifiers have the same number of vowels. The purpose of DMARC is not "alignment", the purpose of DMARC is to increase trust by ruling out impersonation. When impersonation is ruled out by DMARC's authentication mechanism, it is DMARC PASS. The alternative,, which you want to ignore, is to "require" evaluators to do something foolish, which is to ignore the fact that the message is free of impersonation. Whitelisting cannot be done safely unless the decision is based on a verified identifier. So the first benefit of increased PASS volume is to simplify whitelisting. The second benefit of increased PASS volume is to reduce the scope of messages that should be reviewed retroactively to assess whether a malicious impersonation was overlooked. If increased PASS rates were not important, we would not need relaxed alignment. Is DMARC about making IETF happy, or about making better disposition decisions. The point of my three examples is that they all use the same communication process and the same data, so they should produce the same result. Doug On Thu, Aug 4, 2022 at 10:44 PM John Levine <[email protected]> wrote: > >> DMARC uses available information to produce a result of "Authenticated" > or > >> "Not Authenticated". Sometimes, the message can be reliably > categorized > >> as "Authenticated" or "Not Authenticated" without reference to the > >> specifics of a domain owner policy. ... > > But DMARC has never said whether messages are "Authenticated". It says > whether they > are aligned, based on the authentication results from DKIM and SPF. > That's not the > same thing, and the distinction is deliberate. It's quite possible for a > message to > be authenticated by DKIM or SPF, but not aligned. Indeed, most messages > sent through > this list are in that category. > > I don't know what this proposal is, but it's not DMARC. > > R's, > John > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
