> On Aug 5, 2023, at 5:37 PM, Scott Kitterman <[email protected]> wrote: > > On Saturday, August 5, 2023 3:59:02 PM EDT John Levine wrote: >> It appears that Scott Kitterman <[email protected]> said: >>>> When receivers apply the "MUST NOT reject" in Section 8.6 to accept >>>> unauthenticated messages as quarantined messages, receivers SHOULD >>>> carefully review how they forward mail traffic to prevent additional >>>> security risk. That is, this downgrade can enable spoofed messages that >>>> are SPF DMARC authenticated with a fraudulent From identity despite having >>>> an associated strong DMARC policy of "p=reject". ... >> >> We all realize that SPF has problems, but I really do not want to fill >> up the DMARC document with text that says "you can authenticate with >> SPF, hahaha no just kidding." >> >> The way to fix Microsoft's forwarding SPF problem is for Microsoft to put >> the forwarding user's bounce address on the message, not for us to tell >> the entire world to use kludgy workarounds. > > I agree. We need to be careful to solve protocol problems in the protocol > and > leave fixing implementation problems to implementers. We aren't going to > protocol our way out of bad implementation decisions.
Taken within the good-intention, protocol-compliant implementations, which one do we add as “Implementations Notes?” Which or rather What are “Current Practice”behavior can we note? — HLS _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
