And in addition to the draft's being clear that receivers need to check all of the authentication mechanisms (currently SPF and DKIM), Section 7.4 contains strong language that senders relying on SPF alone, without DKIM, are treading dangerously. The combination -- senders really need to sign with DKIM, receivers need to check both SPF and DKIM -- is important, and anyone who thinks we need to say it more clearly should please send suggested text so we can see specifically what we need to add/clarify.
Barry On Thu, Jan 2, 2025 at 9:40 PM John Levine <[email protected]> wrote: > > It appears that Michael Thomas <[email protected]> said: > > > >If we are going under the assumption that both SPF and DKIM have their > >own strengths and weaknesses with respect to being able to verify where > >a piece of email came from (or passed through too in the case of DKIM), > >a sender needs the confidence that the receiver implement both of them > >before they set a reject policy which could lead to deliverability > >issues. It is utterly irrelevant what is currently deployed in the field > >right now -- it's a new proposed standard, after all. Both SPF and DKIM > >have their own policy mechanisms and if you are a SPF-only shop you can > >use its mechanism if you feel brave enough. > > That is both what 7489 says and what the current draft says. Every DMARC > implementation I know checks both SPF and DKIM. We considered and rejected > proposals to deprecate SPF, or to add a flag saying to check only one or the > other. > > If you think the draft needs changes, it'd be helpful if you could send text. > > R's, > John > > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
