[dmarc-ietf] Re: I think Tero is right

Sun, 05 Jan 2025 11:08:31 -0800 

On Fri 03/Jan/2025 20:18:09 +0100 John Levine wrote:

It appears that Michael Thomas  <[email protected]> said:
Didn't Tero say that there used to be a MUST somewhere that made explicit that both SPF and DKIM MUST be evaluated?  If so, why was it taken out and why can't it be put back in to clear his issue? There is a like absolutely no rationale for receivers to not verify DKIM these days. Even 20 years ago it wasn't an issue. 

I think the current language is clear enough.


If you disagree, please send text.  As should be evident when reading the 
draft, this part has been reorganized so even if you wanted to put back 
some sentence from 7489, there's no place for it to go.



But you yourself seemed to agree:
https://mailarchive.ietf.org/arch/msg/dmarc/HuXMh0tuVCvVlEx2eIlVinzcZ_0
On Sun 29/Dec/2024 00:10:18 +0100 John R Levine wrote:

  For each Authentication Mechanism underlying DMARC, perform the
  required check to determine if an Authenticated Identifier
  (#authenticated-identifier) exists for the message if such check
  has not already been performed.


...is absolutely normative.


You're right, but if two people who are familiar with DMARC find it confusing, 
a little extra MUSTard wouldn't hurt.



In fact, MUSTard doesn't seem to lack in Section 5.3.3:

    * For SPF, the preserved results *MUST* include "pass" or "fail", and
      if "fail", SHOULD include information about the reasons for
      failure if available. The results *MUST* further include the domain
      name used to complete the SPF check.
    * For DKIM signature validation checks, for each signature checked,
      the results *MUST* include "pass" or "fail", and if "fail", SHOULD
      include information about the reasons for failure. The results
      *MUST* further include the value of the "d" and "s" tags from each
      checked DKIM signature.


However, some wording looks questionable.  Errors are possible, besides "pass" 
or "fail".  And including results /for each/ checked sig might be too demanding.



Best
Ale
--







_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to