> On 6 Feb 2024, at 20:52, John Levine <jo...@taugh.com> wrote:
>
> It appears that Jeroen Massar <jer...@massar.ch> said:
>> Hi Folks,
>>
>> As DMARCbis is being updated, I would like to suggest a new tag `required`
>> shorted to `req`.
>>
>> ```
>> `req=dkim`: requires DKIM, messages not properly signed are then to be
>> rejected/quarantined based on 'p' policy.
>>
>> The tag should allow future expansion by requiring multiple mechanisms to be
>> required by specifying
>> multiple mechanisms separate, e.g. with `req=dkim,spf`. ...
>
> Unless something important has changed since the last time we took up
> and rejected this idea, I don't think we need to discuss it further.
Is the reasoning documented? I have checked the list archives, but there is a
LOT of list archives...
As at the moment, as per the example I gave in the email, DKIM is futile to
have if SPF passes.
A spammer can get around DKIM by ensuring SPF works which is the case for many
shared 'mass email services' that share IP addresses.
For gmail.com <http://gmail.com/> as a very big example SPF passes due to ~all
and the evaluation of DKIM can be ignored (and as the header is not-present, no
way to know it should have been there.
If there was a way to signal "DKIM is required" then one could change the
current "either SPF _or_ DKIM-valid-signature".
But currently, that is not the case, thus DKIM is effectively useless unless
one says "but one should track that previously DKIM has been used" which does
not fly for slow roll-out... with the selector there is a
DMARC would be the best place to announce the policy that DKIM is required.
(and would also effectively make it possible to slowly get rid of SPF over
time... at the moment it is either SPF or DKIM...)
Regards,
Jeroen
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
