> On Jun 17, 2023, at 9:50 PM, John Levine <jo...@taugh.com> wrote: > > It appears that Hector Santos <hsan...@isdg.net> said: >>> Can these senders not accomplish the same thing by removing the SPF record >>> altogether? >>> >>> -MSK, participating >> >> >> Isn’t SPF, DKIM and alignment are all required for DMARC1 passage? Failure >> if any are missing? > > No, that has never been the case. Please reread RFC 7489. >
Everything in that doc, all angles of reading this Informational Status RFC suggest SPF is a natural part of the DMARC consideration. A domain with a DMARC1 record is expected to have SPF and DKIM. The authenticated identifiers need to be aligned as well. The DMARC1 policy define how failures are handled. If the policy p=none allows for failures by not having a SPF record, I would agree that would be technically true but not all receivers behave the same. With restrictive DMARC policies. SPF is pretty much required. Senders risked failures by receivers who may applied it inconsistently. Section 4.3 has items 1,6, 7 and 8 describing SPF as a factor in the established procedure and flow and consideration in policy result evaluation. Let’s consider the huge industry DMARC marketing as well where SPF, DKIM are described as necessary email security preparation for DMARC. The section 10.1, 2nd para confirms my main point that SPF may be processed separately for reject (-all) results preempting payload processing: Some receiver architectures might implement SPF in advance of any DMARC operations. This means that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Operators choosing to use "-all" should be aware of this. Anyway, I support removing SPF from the DMARCbis or DMARC2 evaluation. Section 10.1 2nd para semantics need to remain. Thanks — HLS
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc