At IETF-117, I restarted the proposal for a policy "auth=" tag based on the proposal here <https://mailarchive.ietf.org/arch/msg/dmarc/KeGbMfX91WJk_aziKsrRfI6AYkI/>. The "auth=" policy allows for restriction of SPF in scenarios where it might be problematic but still retains its availability in DMARC by default. I didn't hear objections at 117, so below is some proposed language for "auth=" for dmarc-ietf-dmarc-dmarcbis.
-Wei ===== 1. Introduction, 3rd paragraph insert after first sentence: In addition, the choice of permitted authentication methods, SPF or DKIM, method MAY be explicitly specified, potentially to restrict the supported authentication methods. 4.3 Authentication Mechanisms append: Domain Owners and PSOs MAY explicitly specify the supported authentication methods via the "auth=" tag. The value is a colon ':' separated list of supported authentication methods without whitespace. The order of the list isn't any significant, and unknown methods are ignored. An aligned passing result for any listed method indicates a DMARC pass. An empty list indicates no authentication method is specified and DMARC is disabled. If unspecified with a policy tag "auth=", this indicates that both DKIM and SPF are supported. 5.3 General Record Format insert: auth: Indicates the supported authentication methods. If more than one method is specified, they are colon ':' separated without whitespace. The order of the list is not significant and unknown methods are ignored. An empty list indicates no authentication method is specified and DMARC is disabled. dkim: Authenticate with DKIM spf: Authenticate with SPF 5.4. Formal Definition insert: dmarc-auth = <empty> / "dkim" / "spf" / "dkim:spf" / "spf:dkim" Table: Tag Name Value Rule auth dmarc-auth
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
