I am surprised at the lack of feedback about Barry's research link. It is a devastating attack on our ability to trust SPF when shared infrastructure is involved. As a result of that document, I have switched camps and believe that we MUST provide a DKIM-only option for DMARC.
The proposed workaround, of using a "?" modifier to force SPF Neutral instead of Pass, seems to lack both awareness and implementation, since it was not even mentioned in the research document as a mitigation. Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc