On Wed 25/Oct/2023 16:01:01 +0200 Scott Kitterman wrote:
On October 25, 2023 1:37:55 PM UTC, John Levine <[email protected]> wrote:
It appears that Scott Kitterman <[email protected]> said:
I haven't seen any valid case for it yet. It adds complexity to little or no benefit.
[...]
There's the counterargument "so don't publish SPF" but it's on so many
checklists
that even though that would be a fine idea, it's not practical.
Diving into the SPF angle, if someone has a 'legitimate' mail source that also
sends spoofed mail for them, they can prefix the relevant mechanism with '?' so
it produces a neutral rather than a pass result. DMARC will ignore it then.
Still solvable in SPF with no protocol change.
For example, change _o365spf.state.gov to
"v=spf1 ?include:spf.protection.outlook.com -all"
It was a mistake to have a missing qualifier default to +. Suggesting that the
qualifier is optional implicitly depreciated the value of "pass". But yes,
that fix would work.
It is still possible to provide for an alternative way to fix it. More
complication for more flexibility.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
