Re: [dmarc-ietf] Another point for SPF advice

Fri, 08 Mar 2024 02:52:46 -0800 

On 05/03/2024 17:07, Scott Kitterman wrote:

On March 5, 2024 3:46:39 PM UTC, Alessandro Vesely <[email protected]> wrote:

Todd Herr writes:

On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely <[email protected]> wrote:
in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last sentence says: 

                                     The SPF record SHOULD be constructed
     at a minimum to ensure an SPF pass verdict for all known sources of
     mail for the RFC5321.MailFrom domain.
As we learnt, an SPF pass verdict has to be granted to /trusted/ sources only. An additional phrase about using the neutral qualifier ("?") for public sources might also be added.
To further this discussion, please define "public sources", compare and contrast that definition to the definition of "private sources", and then describe which sources are "trusted" and by whom. 

*public sources* is a set of IP addresses used by an operator who sends mail on 
behalf of its customers, not by assigning different addresses to different 
customers, but according to whatever other criteria which mixes them up.

*private sources* are IP addresses in exclusive use by a domain.

A public source can be *trusted* by its customers if it reliably filters 
outgoing mail by ensuring that messages sent by a given customer contain From: 
domains owned by that customer.

That's obviously too long to go on the I-D.  The point has to be expressed in 
one or two sentences.  Certainly, we cannot recommend an insecure practice.


Maybe something like trusted to prevent cross user forgery with a link to RFC 
7208 11.4 (which explains what that means).
I like that wording. However, when we talk of an ISP's user, it is actually a domain. So perhaps: 

                                   The SPF record SHOULD be constructed
   at a minimum to ensure an SPF pass verdict for all known sources of
   mail for the RFC5321.MailFrom domain that are trusted to prevent
   cross-domain forgeries.
Possibly, a wider paragraph, with an example of using qualifiers with the include mechanism can be given in Section 8.1. 


Best
Ale
--





_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to