On Mon 26/Jun/2023 20:13:53 +0200 Barry Leiba wrote:
I'm saying I don't want "and" to be an option, because I think it's damaging to DMARC. There is no reason anyone should ever want to say that, and providing the option asks for misconfigurations because people think it's somehow "more secure". It's not more secure. It would be very bad for deliverability of legitimate mail and would provide no additional security. It would be a terrible mistake.
I've been sporting spf-all for years, and seldom experienced bounces, mostly due to misconfigured secondary MXes. Out of 39 domains whose posts to this list in the past year are still in my inbox, 14 have spf-all. So, while I'm not the only one, not many published -all even though it may seem to be somehow more secure.
I think it can be worth to compare SPF and DMARC. Another sender policy a decade and an authentication method after. What adoption, what hype.
Both policies ask receivers to reject a domain identifier in some cases. RFC 7208 explicitly suggests to consider whitelisting (Appendix D). DMARC provides for overrides but is less clear about how to handle exceptions. After SPF broke forwarding, the reaction was split between some changing identifier and turning to ~all; after DMARC broke mailing lists, between changing identifier and not altering messages. In my limited experience, the ratio seems to be higher for DMARC than SPF, but I may be wrong.
In theory, domains that currently have a strict DMARC policy and spf-all, 6 of the above, should have their messages blocked when either method fails, up to changing identifiers. Why would it be so bad for deliverability to additionally require DMARC alignment, which is the difference between that and the "and"?
And, it seems to me that an ESP not having a bloated SPF record could stop a good deal of DKIM replay by resorting to auth=dkim+spf. Besides collateral deliverability problems, why wouldn't that work?
Wht would "and" damage DMARC more than -all damaged SPF? I hope we can discuss detailed criticism rather than vague ostracism. Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
