John Levine writes: > It appears that Scott Kitterman <[email protected]> said: > >>* Is there consensus on moving ahead with the idea of a way to indicate > >>which authentication method(s) the Domain Owner wants Receivers to use? If > >>so, it doesn't seem to be in the document yet. > > > >I haven't seen any valid case for it yet. It adds complexity to > >little or no benefit. > > Normally I am in favor of keeping stuff simple, but I think in this case the > argument for "DKIM only" is quite strong.
Actually removing SPF completely from DMARC would simplyfy the protocol a lot, and would solve several issues, where people use DMARC with only SPF, or claim to do dmarc, but do filtering based on the SPF records before getting to the actual email, thus not checking DKIM records at all. If the DMARC would only use DKIM, that would make it clear that if you want to publish DMARC records you needs to also use DKIM, and when checking DMARC records you need to check verify DKIM signatures. Whether you do SPF in addition to that before or after would be local implementation issue, and not part of the DMARC. There were people who wanted to keep SPF as part of the DMARC, who did not even do DMARC, because the used SPF only as a first step of filtering during the MAIL FROM phase (before being able to fetch DMARC records, or checking DKIM signatures)... > There's the counterargument "so don't publish SPF" but it's on so > many checklists that even though that would be a fine idea, it's not > practical. That is unfortunately true, but if we could decouple the DMARC from SPF, then at least we could fix the situation at some point... -- [email protected] _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
