Hi Folks, As DMARCbis is being updated, I would like to suggest a new tag `required` shorted to `req`.
``` `req=dkim`: requires DKIM, messages not properly signed are then to be rejected/quarantined based on 'p' policy. The tag should allow future expansion by requiring multiple mechanisms to be required by specifying multiple mechanisms separate, e.g. with `req=dkim,spf`. ``` Note that `req=spf` does not actually makes sense, as that either passes or not. Same for `req=spf,dkim`. Though, maybe for sanity reasons we could specify it so that implementers know that they are required to check SPF + DKIM and whatever optional new feature once gets introduced (`req=pgp` or `req=smime` though that would require public keys to be known by the receiving mail server which is a long shot :) ). Thus maybe the example could be `req=spf,dkim` to indicate that those need to be checked. This addresses spammers, but also bots that do: ``` From: [email protected] Authentication-Results: xxx; dkim=none; arc=none; spf=softfail (Mechanism '~all' matched) [email protected]; dmarc=none Received-SPF: softfail (google.com: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=portal.usa6.ops-trust.net; identity=mailfrom; envelope-from="[email protected]"; helo=google.com; client-ip=202.120.11.152 Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=202.120.11.152; helo=google.com; [email protected]; receiver=<UNKNOWN> Received: from google.com (unknown [202.120.11.152]) by host (Postfix) with ESMTP id xxxx for <test@xxx>; Tue, 6 Feb 2024 03:58:51 +0000 (UTC) This is a test mail. If you receive this mail, it means your email server lack the authentication for SPF and DMARC. We strongly recommend you to initiate these two authentication protocols. ``` While that passes SPF (~all ...) and as there is no DKIM Signature, there is nothing to be checked. Yes, one can check the existence of _domainkey.<domain> but that tells little (NXDOMAIN means total absence of keys; NOERROR might mean there is a DKIM key but maybe not used for these mailings) checking it would also stop the ability to slowly roll out DKIM. Hence the proposal to put it in the DMARC header: tell a receiver what is required for the mail to be considered valid. Regards, Jeroen _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
