Todd Herr writes:
On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely <[email protected]> wrote:
in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last
sentence says:
The SPF record SHOULD be constructed
at a minimum to ensure an SPF pass verdict for all known sources of
mail for the RFC5321.MailFrom domain.
As we learnt, an SPF pass verdict has to be granted to /trusted/ sources
only. An additional phrase about using the neutral qualifier ("?") for
public sources might also be added.
To further this discussion, please define "public sources", compare and
contrast that definition to the definition of "private sources", and then
describe which sources are "trusted" and by whom.
*public sources* is a set of IP addresses used by an operator who sends
mail on behalf of its customers, not by assigning different addresses to
different customers, but according to whatever other criteria which mixes
them up.
*private sources* are IP addresses in exclusive use by a domain.
A public source can be *trusted* by its customers if it reliably filters
outgoing mail by ensuring that messages sent by a given customer contain
From: domains owned by that customer.
That's obviously too long to go on the I-D. The point has to be expressed
in one or two sentences. Certainly, we cannot recommend an insecure
practice.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
