John, you have a solid theoretical argument, but mail senders are pragmatists, not theorists.
There are still filtering products in use that evaluate SPF but not DMARC. In the products that I have seen up close, they only act on SPF FAIL, and ignore SPF NONE. But without certainty about how all evaluators operate, there is a strong incentive to keep SPF PASS in place. I note that Gmail.com still has an SPF Policy. Adding a flag to evaluate DMARC without SPF allows a sender to navigate the market differences between DMARC-aware and DMARC-ignorant evaluators. Doug On Fri, Jun 23, 2023 at 3:30 PM John R Levine <[email protected]> wrote: > > Presumably, a sender who uses DMARC might publish SPF to cover > > recipients who don't use DMARC, but would prefer that recipients use > > DMARC (authenticated by DKIM only). > > I get that, but that's still simultaneously saying "use SPF to > authenticate me" and "don't use SPF to authenticate me." If SPF is so > unreliable that you don't want people to use it for your DMARC alignment, > why would you want them to use it otherwise? > > I worry this is encouraging security theater, look I have super secure > DMARC p=reject and, we won't get our deliverability numbers without a big > fuzzy SPF record. > > R's, > John > > > > Barry > > > > On Fri, Jun 23, 2023 at 1:54 PM John R Levine <[email protected]> wrote: > >> > >>> My understanding is that if `auth=dkim` then SPF would be ignored from > the > >>> perspective of DMARC. So if a receiver sees DKIM is not DMARC aligned > and > >>> only SPF is DMARC aligned then it would still be treated as a DMARC > fail. > >> > >> That's my understanding. > >> > >>> It would be a way for senders to say "yes I checked that all my DKIM > >>> signatures are working and aligned, I don't need you to look at SPF and > >>> don't want to have the risk of SPF Upgrades. > >> > >> So why do you publish an SPF record? Presumably so someone will accept > >> your mail who wouldn't otherwise, except you just said they shouldn't. > >> Still not making sense to me. > >> > >> Regards, > >> John Levine, [email protected], Taughannock Networks, Trumansburg NY > >> Please consider the environment before reading this e-mail. > https://jl.ly > >> > >> _______________________________________________ > >> dmarc mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/dmarc > > > > > > Regards, > John Levine, [email protected], Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
