On Wed, Jun 28, 2023 at 5:50 PM Douglas Foster < [email protected]> wrote:
> We are talking about SPF AND DKIM because of the problems with DKIM > replay. Can someone summarize the state of the DKIM update options that > have been ruled in or ruled out? > I'll clarify how I view SPF AND DKIM in relation to DKIM Replay. Let's use bob.com as the domain: - If DK=bob.com and SPF=bob.com then NOT dkim replay. - If DK=bob.com and SPF!=bob.com then MAYBE dkim replay (of course probability of dkim replay varies widely, and could still be 0 for this particular SPF) - If DK=bob.com and SPF!=bob.com and DMARC policy is SPF AND DKIM then LIKELY dkim replay if seen in large volumes. So the value of that DMARC policy for DKIM Replay is that bob.com can be better protected against heavy replays because they have a way to say "I've checked all my direct flows have SPF AND DK aligned. If you see mail with a different SPF you can be sure it's an indirect flow and be more aggressive about quota limiting large volumes." To be clear, that would be a benefit for protecting aligned domains that are replayed, but I'm NOT suggesting this is enough benefit to allow users to set SPF AND DKIM for a DMARC auth policy. I agree with others that it's a footgun, and it would be better to convey this information in some other way.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
