On Thu, Jun 22, 2023 at 7:18 PM John Levine <jo...@taugh.com> wrote:
> It appears that Emil Gustafsson <e...@google.com> said: > >I don't know if there is a better way to encode that, but I'm supportive > of > >making a change that that would allow domains to tell us (gmail) that they > >prefer us to require both dkim and spf for DMARC evaluation (or whatever > >combination of DKIM and SPF they desire). > > I really don't understand what problem this solves. More likely people > will see blog posts telling them auth=dkim+spf is "more secure", > they'll add that without understanding what it means, and all that > will happen is that more of their legit mail will disappear. > > If you're worried about DKIM replay attacks, let's fix that rather > than trying to use SPF, which as we know has all sorts of problems of > its own, as a band-aid. > > R's, > John > I agree with John's point that dkim+spf doesn't make sense in the context of strict DMARC enforcement (I think it provides value for p=none domains but it's not worth that complexity). If we leave out `dkim+spf` as an option then we can still solve >90% of the problem at hand without having confused users misusing that option. I would support allowing the following options for the auth tag: "auth=dkim|spf (default value: same as current state), auth=dkim, auth=spf"
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
