On October 26, 2023 9:46:04 PM UTC, Tero Kivinen <[email protected]> wrote:
>John Levine writes:
>> It appears that Scott Kitterman <[email protected]> said:
>> >>* Is there consensus on moving ahead with the idea of a way to indicate
>> >>which authentication method(s) the Domain Owner wants Receivers to use? If
>> >>so, it doesn't seem to be in the document yet.
>> >
>> >I haven't seen any valid case for it yet. It adds complexity to
>> >little or no benefit.
>>
>> Normally I am in favor of keeping stuff simple, but I think in this case the
>> argument for "DKIM only" is quite strong.
>
>Actually removing SPF completely from DMARC would simplyfy the
>protocol a lot, and would solve several issues, where people use DMARC
>with only SPF, or claim to do dmarc, but do filtering based on the SPF
>records before getting to the actual email, thus not checking DKIM
>records at all.
>
>If the DMARC would only use DKIM, that would make it clear that if you
>want to publish DMARC records you needs to also use DKIM, and when
>checking DMARC records you need to check verify DKIM signatures.
>
>Whether you do SPF in addition to that before or after would be local
>implementation issue, and not part of the DMARC.
>
>There were people who wanted to keep SPF as part of the DMARC, who did
>not even do DMARC, because the used SPF only as a first step of
>filtering during the MAIL FROM phase (before being able to fetch DMARC
>records, or checking DKIM signatures)...
>
>> There's the counterargument "so don't publish SPF" but it's on so
>> many checklists that even though that would be a fine idea, it's not
>> practical.
>
>That is unfortunately true, but if we could decouple the DMARC from
>SPF, then at least we could fix the situation at some point...
I propose that we not repeat this discussion and instead, try to focus on
finishing.
Scott K
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
