Is there a use case for "SPF only"? 1) "We use ESPs but we never sign, so don't expect one."
2) "We have so many problems with DKIM reply that you should ignore signatures even if they verify." 3) "We never sign, so if you see a failed signature, it is a fraud attempt." None of these seem important to me. Doug On Fri, Jun 23, 2023, 12:43 AM Emanuel Schorsch <emschorsch= [email protected]> wrote: > > > On Thu, Jun 22, 2023 at 7:18 PM John Levine <[email protected]> wrote: > >> It appears that Emil Gustafsson <[email protected]> said: >> >I don't know if there is a better way to encode that, but I'm supportive >> of >> >making a change that that would allow domains to tell us (gmail) that >> they >> >prefer us to require both dkim and spf for DMARC evaluation (or whatever >> >combination of DKIM and SPF they desire). >> >> I really don't understand what problem this solves. More likely people >> will see blog posts telling them auth=dkim+spf is "more secure", >> they'll add that without understanding what it means, and all that >> will happen is that more of their legit mail will disappear. >> >> If you're worried about DKIM replay attacks, let's fix that rather >> than trying to use SPF, which as we know has all sorts of problems of >> its own, as a band-aid. >> >> R's, >> John >> > > I agree with John's point that dkim+spf doesn't make sense in the context > of strict DMARC enforcement (I think it provides value for p=none domains > but it's not worth that complexity). If we leave out `dkim+spf` as an > option then we can still solve >90% of the problem at hand without having > confused users misusing that option. I would support allowing the following > options for the auth tag: > "auth=dkim|spf (default value: same as current state), auth=dkim, > auth=spf" > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
