On Fri 30/Jun/2023 19:22:28 +0200 Barry Leiba wrote:
Ale, you're venue-shopping; please don't do that.
Sorry, I understood the discussion was banned from the dmarc list.
In fact, messages that would only be blocked by auth=dkim+spf are either
messages that pass DKIM but fail SPF, or messages that pass SPF but fail
DKIM. Since the latter case, excluding misconfigurations, looks unlikely,
this settings serves only DKIM replay. >
What you say here about DKIM replay is misleading and wrong. Barring
misconfigurations, "dkim+spf" would be equivalent to "spf", as you
actually point out in the paragraph above, and it has nothing to do
with mitigating DKIM replay
An example of SPF pass where DKIM does not is a domain that uses an external
smarthost, at least for some targets which blacklist its IP addresses. A
serious but non-exclusive smarthost can promptly identify abuse culprits, but
may not be able to prevent them. So checking DKIM in addition to SPF would
bring an added value in such cases.
(other than to say that the way to avoid DKIM replay is not to pay attention
to DKIM).
That agrees with the initial remarking that DKIM replay is a feature, not a
bug, as it is consistent with the the by-design independence from transport
details.
In any case, if anyone is interested in discussing this DMARC protocol
proposal, please go to the DMARC list, where it is actively being
discussed.
Anyway, discussing whether spf+dkim verification can mitigate DKIM replay
belongs to the ietf-dkim list. (In case, it could also be expressed outside
DMARC, for example by an additional DKIM tag.)
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim