On April 8, 2024 1:02:53 AM UTC, Neil Anuskiewicz <neil=40marmot-tech....@dmarc.ietf.org> wrote: > > >> On Apr 7, 2024, at 7:00 AM, Neil Anuskiewicz <n...@marmot-tech.com> wrote: >> >> >> >>> On Apr 7, 2024, at 6:54 AM, Tero Kivinen <kivi...@iki.fi> wrote: >>> >>> Scott Kitterman writes: >>>> I hear you. Your operational issue is my system working as designed. >>>> DMARC works on top of SPF, it doesn't change it. >>> >>> Yes, DMARC works on top of SPF, and DKIM and provides policy layer. We >>> are trying to change the fact that people rely purely on SPF, and try >>> to get them moved to use DMARC istead, and we are trying to explain >>> that if you do SPF inside the DMARC context, you get exactly same >>> policy results you get as when you do SPF before, except you get it >>> better, as you have more data available. Using -all would be >>> completely ok if everybody would be doing DMARC, but as there are some >>> systems which do SPF outside DMARC, and there having -all might >>> shortcircuit DMARC out from the equation, we should provide guidance >>> to those people how they can get best results in current environment. >>> Thus the best current practice should be use to use ~all instead of >>> -all if you are trying to use DMARC, and want other systems to >>> actually act based on your DMARC policy. > >The problem I see is that some receivers never got the memo and still enforce >just on an SPF hard fail which only creates fear, uncertainty, doubt, and >annoyance.
If there's FUD, it's due to claiming it is a significant problem for DMARC. Everyone has a different mail stream, so YMMV, but in my experience this is approximately never an issue. This is only even potentially an issue when Mail From aligned and SPF is fail. I don't recall the last time I saw that happen for a message that also passed DKIM (and d= was aligned). What is the overwhelming case for me is Mail From is not aligned (like this mailing list) and SPF is pass, none, neutral, etc. Even if the receiver rejects SPF fail, it almost never comes up. Then the DMARC result is a function of the DKIM signature verifying and being aligned. The fact that my domain has a -all SPF record virtually never matters for DMARC. So let's move on... Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
