On March 5, 2024 3:46:39 PM UTC, Alessandro Vesely <[email protected]> wrote: >Todd Herr writes: >> On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely <[email protected]> wrote: >> >>> in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last >>> sentence says: >>> >>> The SPF record SHOULD be constructed >>> at a minimum to ensure an SPF pass verdict for all known sources of >>> mail for the RFC5321.MailFrom domain. >>> >>> As we learnt, an SPF pass verdict has to be granted to /trusted/ sources >>> only. An additional phrase about using the neutral qualifier ("?") for >>> public sources might also be added. >> >> To further this discussion, please define "public sources", compare and >> contrast that definition to the definition of "private sources", and then >> describe which sources are "trusted" and by whom. > > >*public sources* is a set of IP addresses used by an operator who sends mail >on behalf of its customers, not by assigning different addresses to different >customers, but according to whatever other criteria which mixes them up. > >*private sources* are IP addresses in exclusive use by a domain. > >A public source can be *trusted* by its customers if it reliably filters >outgoing mail by ensuring that messages sent by a given customer contain From: >domains owned by that customer. > >That's obviously too long to go on the I-D. The point has to be expressed in >one or two sentences. Certainly, we cannot recommend an insecure practice. > Maybe something like trusted to prevent cross user forgery with a link to RFC 7208 11.4 (which explains what that means).
Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
