On Saturday, October 28, 2023 10:51:27 AM EDT Scott Kitterman wrote: > >Even if we don't add the feature, we should address the vulnerability. Currently there is only a bullet in Section 4.8, Organizational Domain Discovery, saying: > > * The domain found in the RFC5321.MailFrom header if there is an SPF > > pass result for the message being evaluated. > > > >We need to add a subsection in Security Consideration, discussing an > >example of an include mechanism with a neutral qualifier and its effect on > >DMARC outcome; that is, how that avoids spurious authentications. > > > >The other snippet where SPF qualifiers are discussed is Section 8.1, Issues > >Specific to SPF. We could add a reference to the added subsection there. > I disagree. It's already addressed in RFC 7208 and we have: > > 11.1. Authentication Methods > > Security considerations from the authentication methods used by DMARC > are incorporated here by reference. > > It's already covered.
I thought some more about this and maybe we should put something in about this. Maybe something like: Domains which publish SPF records that include mechanisms which relate to mail services which do not protect against cross-user forgery (RFC 7208, Section 11.4) are advised to do so only with the '?' qualifier to mitigate the risk that such spoofed messages will receive a DMARC pass result. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
