On 05/03/2024 17:07, Scott Kitterman wrote:
On March 5, 2024 3:46:39 PM UTC, Alessandro Vesely <[email protected]> wrote:
Todd Herr writes:
On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely <[email protected]> wrote:
in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last
sentence says:
The SPF record SHOULD be constructed
at a minimum to ensure an SPF pass verdict for all known sources of
mail for the RFC5321.MailFrom domain.
As we learnt, an SPF pass verdict has to be granted to /trusted/ sources
only. An additional phrase about using the neutral qualifier ("?") for
public sources might also be added.
To further this discussion, please define "public sources", compare and
contrast that definition to the definition of "private sources", and then
describe which sources are "trusted" and by whom.
*public sources* is a set of IP addresses used by an operator who sends mail on
behalf of its customers, not by assigning different addresses to different
customers, but according to whatever other criteria which mixes them up.
*private sources* are IP addresses in exclusive use by a domain.
A public source can be *trusted* by its customers if it reliably filters
outgoing mail by ensuring that messages sent by a given customer contain From:
domains owned by that customer.
That's obviously too long to go on the I-D. The point has to be expressed in
one or two sentences. Certainly, we cannot recommend an insecure practice.
Maybe something like trusted to prevent cross user forgery with a link to RFC
7208 11.4 (which explains what that means).
I like that wording. However, when we talk of an ISP's user, it is
actually a domain. So perhaps:
The SPF record SHOULD be constructed
at a minimum to ensure an SPF pass verdict for all known sources of
mail for the RFC5321.MailFrom domain that are trusted to prevent
cross-domain forgeries.
Possibly, a wider paragraph, with an example of using qualifiers with
the include mechanism can be given in Section 8.1.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc