On Fri 16/Jun/2023 13:02:46 +0200 Douglas Foster wrote:
The solution is to talk about the differences in confidence provided by the different authentication methods, and note that evaluators have reason to distrust some of them. That distrust could cause a weakly authenticated message to be distrusted by some evaluators.
SPF reliability is not something that an evaluator can automatically learn, at least not straightforwardly. Overbloated SPF settings can make impersonation possible, thereby betraying DMARC intent. Concerned domains should be advised to not include such stuff in their SPF record.
If someone set +all in their SPF record, then anyone is authorized to send mail on their behalf. It is not an evaluator's job to syndicate their policy. The problem arises if —as someone voiced— there are cases where a domain is somehow forced to publish a bloated SPF record, yet doesn't want to be freely impersonated and seeks DMARC protection. Do such cases exist?
Best Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
