To Tim’s note below, should the group create an operational guidance document for DMARCbis? This could allow for more lengthy discussions around policy decisions, and move that discussion out of the technical document.
-- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: dmarc <dmarc-boun...@ietf.org> On Behalf Of Tim Wicinski Sent: Monday, April 1, 2024 12:17 PM To: Dotzero <dotz...@gmail.com> Cc: Brotman, Alex <Alex_Brotman=40comcast....@dmarc.ietf.org>; dmarc@ietf.org Subject: Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30 I have to agree with Seth's comments that "security teams believe an SPF hard fail is more secure". I've been on the receiving end of that discussion more than once. Also, can we reference those two M3AAWG documents ? That seems like operational guidance. tim On Mon, Apr 1, 2024 at 8:55 AM Dotzero <dotz...@gmail.com<mailto:dotz...@gmail.com>> wrote: On Mon, Apr 1, 2024 at 8:18 AM Brotman, Alex <Alex_Brotman=40comcast....@dmarc.ietf.org<mailto:40comcast....@dmarc.ietf.org>> wrote: One item left out of Seth’s text is that due to MBPs who act in this fashion, these SPF evaluation failures will (understandably) not show up in DMARC reports, and the domain owner may not have visibility for these failures. However, the text also puts the onus on the domain owner instead of the MBP. The text could be altered to instead suggest that MBPs who deploy DMARC should not utilize the outcome of SPF in this fashion. If the domain owner wants to protect their domain, and has no idea if the MBP supports DMARC properly (presuming they also have an enforcing policy), is it more or less advisable to use “-all” with your SPF record? I’d be curious to see the Venn diagram of MBPs who implement SPF in this fashion, and also fully support DMARC. I feel like the MBPs who I’ve encountered deploying an SPF check in this way had not at the time supported DMARC. -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast I was just thinking along these lines and was going to post but you beat me to the punch. +1 Michael Hammer _______________________________________________ dmarc mailing list dmarc@ietf.org<mailto:dmarc@ietf.org> https://www.ietf.org/mailman/listinfo/dmarc<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dmarc__;!!CQl3mcHX2A!Fb-J3cXtCi-g9GrtAS4dOqVZX7mqGuHPpsx_WiInM3oaf51dbfoNWfZ8G67ACgtN7VjFXXC2eIvT794GNh4R$>
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc