On Sun, Mar 31, 2024 at 2:00 PM John Levine <[email protected]> wrote:
> It appears that Mark Alley <[email protected]> said: > >> People who publish -all know what they do. > > > >I posit that there is a non-insignificant amount of domain owners that > >don't know what the consequences of -all are other than that they've > >been instructed to use "-all" by a guide online, ... > > I'm with you. I have had too many arguments with people whose SPF records > end with -all and insist it is everyone's fault but theirs that their mail > doesn't get delivered. > > The special case of a record only containing -all, meaning they send no > mail whatsoever, is different and I don't think it's contentious. > > But I still am reluctant to give people a lot of advice about how to > sent up their SPF records. This is dmarc-bis, not spf-bis. > I concur, and do not want to accidentally make normative updates to SPF. SPF hard fails in a DMARC context is a constant point of confusion and bad operational practice. I do think the spec should cover it in a concise and mostly informational way. My proposed text was: ---- Some Mail Receiver architectures implement SPF in advance of any DMARC operations. This means that an SPF hard fail ("-") prefix on a sender's SPF mechanism, such as "-all", could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place, and DKIM has a chance to validate the message instead of SPF. Operators choosing to use "-all" to terminate SPF records should be aware of this. Since DMARC only relies on an SPF pass, all failures are treated equally. Therefore, it is considered best practice when using SPF in a DMARC context for domains that send email to end records with a soft fail ("~" / "~all"). --- Could this work with simply the removal of the last sentence covering best practice? > > R's, > John > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc > -- Seth Blank | Chief Technology Officer Email: [email protected] This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
