Re: [dmarc-ietf] Proposal for auth policy tag in draft-ietf-dmarc-dmarcbis

Fri, 04 Aug 2023 14:14:59 -0700 


On August 4, 2023 4:16:39 PM UTC, Wei Chuang 
<weihaw=40google....@dmarc.ietf.org> wrote:
>At IETF-117, I restarted the proposal for a policy "auth=" tag based on the
>proposal here
><https://mailarchive.ietf.org/arch/msg/dmarc/KeGbMfX91WJk_aziKsrRfI6AYkI/>.
>The "auth=" policy allows for restriction of SPF in scenarios where it
>might be problematic but still retains its availability in DMARC by
>default.  I didn't hear objections at 117, so below is some proposed
>language for "auth=" for dmarc-ietf-dmarc-dmarcbis.
>
>-Wei
>
>=====
>
>1. Introduction, 3rd paragraph insert after first sentence:
>
>In addition, the choice of permitted authentication methods, SPF or DKIM,
>method MAY be explicitly specified, potentially to restrict the supported
>authentication methods.
>
>4.3 Authentication Mechanisms append:
>
>Domain Owners and PSOs MAY explicitly specify the supported authentication
>methods via the "auth=" tag.  The value is a colon ':' separated list of
>supported authentication methods without whitespace.  The order of the list
>isn't any significant,  and unknown methods are ignored. An aligned passing
>result for any listed method indicates a DMARC pass.  An empty list
>indicates no authentication method is specified and DMARC is disabled.  If
>unspecified with a policy tag "auth=",  this indicates that both DKIM and
>SPF are supported.
>
>5.3 General Record Format insert:
>
>auth: Indicates the supported authentication methods.  If more than one
>method is specified, they are colon ':' separated without whitespace.  The
>order of the list is not significant and unknown methods are ignored.  An
>empty list indicates no authentication method is specified and DMARC is
>disabled.
>  dkim: Authenticate with DKIM
>  spf: Authenticate with SPF
>
>5.4. Formal Definition insert:
>
>dmarc-auth = <empty> / "dkim" / "spf" / "dkim:spf" / "spf:dkim"
>
>Table:
>Tag Name   Value Rule
>auth             dmarc-auth

I'm still not convinced we need this, but I can live with it.

In 5.3 you need to specify the tag is optional and that the default (to be used 
in the absence of the tag) is spf:dkim.  That is necessary to preserve backward 
compatibility with existing records (which I think is essential for DMARCbis).

Scott K

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc






















					Reply via email to