Re: [dmarc-ietf] Another point for SPF advice
On 08/03/2024 18:45, Hector Santos wrote: I believe it is correct, SHOULD strive to trusted known sources. The final mechanism SHOULD be one of (hard) failure. This is what we (ideally) strive for. I believe anything weaker is a waste of computational resources, causes confusion using neutral or even soft fails especially with repeated transactions. A compromise seems to be to set neutral/ softfail for forwarded messages. You don't want them to be blocked, but neither you want to blindly grant occasional forwarders to originate mail with your domain name. That's not optimal. Forwarding should be fixed, e.g. by establishing streams at both sides. Another other case is for mailbox providers which don't filter against cross-domain abuse. In this case, the optimal solution is to choose better providers. Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
I believe it is correct, SHOULD strive to trusted known sources. The final mechanism SHOULD be one of (hard) failure. This is what we (ideally) strive for. I believe anything weaker is a waste of computational resources, causes confusion using neutral or even soft fails especially with repeated transactions. All the best, Hector Santos > On Mar 5, 2024, at 9:29 AM, Alessandro Vesely wrote: > > Hi, > > in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last > sentence says: > > The SPF record SHOULD be constructed > at a minimum to ensure an SPF pass verdict for all known sources of > mail for the RFC5321.MailFrom domain. > > As we learnt, an SPF pass verdict has to be granted to /trusted/ sources > only. An additional phrase about using the neutral qualifier ("?") for > public sources might also be added. > > > Best > Ale > -- > > ___ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
On 05/03/2024 17:07, Scott Kitterman wrote: On March 5, 2024 3:46:39 PM UTC, Alessandro Vesely wrote: Todd Herr writes: On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely wrote: in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last sentence says: The SPF record SHOULD be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain. As we learnt, an SPF pass verdict has to be granted to /trusted/ sources only. An additional phrase about using the neutral qualifier ("?") for public sources might also be added. To further this discussion, please define "public sources", compare and contrast that definition to the definition of "private sources", and then describe which sources are "trusted" and by whom. *public sources* is a set of IP addresses used by an operator who sends mail on behalf of its customers, not by assigning different addresses to different customers, but according to whatever other criteria which mixes them up. *private sources* are IP addresses in exclusive use by a domain. A public source can be *trusted* by its customers if it reliably filters outgoing mail by ensuring that messages sent by a given customer contain From: domains owned by that customer. That's obviously too long to go on the I-D. The point has to be expressed in one or two sentences. Certainly, we cannot recommend an insecure practice. Maybe something like trusted to prevent cross user forgery with a link to RFC 7208 11.4 (which explains what that means). I like that wording. However, when we talk of an ISP's user, it is actually a domain. So perhaps: The SPF record SHOULD be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain that are trusted to prevent cross-domain forgeries. Possibly, a wider paragraph, with an example of using qualifiers with the include mechanism can be given in Section 8.1. Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
On March 5, 2024 3:46:39 PM UTC, Alessandro Vesely wrote: >Todd Herr writes: >> On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely wrote: >> >>> in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last >>> sentence says: >>> >>> The SPF record SHOULD be constructed >>> at a minimum to ensure an SPF pass verdict for all known sources of >>> mail for the RFC5321.MailFrom domain. >>> >>> As we learnt, an SPF pass verdict has to be granted to /trusted/ sources >>> only. An additional phrase about using the neutral qualifier ("?") for >>> public sources might also be added. >> >> To further this discussion, please define "public sources", compare and >> contrast that definition to the definition of "private sources", and then >> describe which sources are "trusted" and by whom. > > >*public sources* is a set of IP addresses used by an operator who sends mail >on behalf of its customers, not by assigning different addresses to different >customers, but according to whatever other criteria which mixes them up. > >*private sources* are IP addresses in exclusive use by a domain. > >A public source can be *trusted* by its customers if it reliably filters >outgoing mail by ensuring that messages sent by a given customer contain From: >domains owned by that customer. > >That's obviously too long to go on the I-D. The point has to be expressed in >one or two sentences. Certainly, we cannot recommend an insecure practice. > Maybe something like trusted to prevent cross user forgery with a link to RFC 7208 11.4 (which explains what that means). Scott K ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
Todd Herr writes: On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely wrote: in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last sentence says: The SPF record SHOULD be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain. As we learnt, an SPF pass verdict has to be granted to /trusted/ sources only. An additional phrase about using the neutral qualifier ("?") for public sources might also be added. To further this discussion, please define "public sources", compare and contrast that definition to the definition of "private sources", and then describe which sources are "trusted" and by whom. *public sources* is a set of IP addresses used by an operator who sends mail on behalf of its customers, not by assigning different addresses to different customers, but according to whatever other criteria which mixes them up. *private sources* are IP addresses in exclusive use by a domain. A public source can be *trusted* by its customers if it reliably filters outgoing mail by ensuring that messages sent by a given customer contain From: domains owned by that customer. That's obviously too long to go on the I-D. The point has to be expressed in one or two sentences. Certainly, we cannot recommend an insecure practice. Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely wrote: > Hi, > > in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last > sentence says: > > The SPF record SHOULD be constructed > at a minimum to ensure an SPF pass verdict for all known sources of > mail for the RFC5321.MailFrom domain. > > As we learnt, an SPF pass verdict has to be granted to /trusted/ sources > only. An additional phrase about using the neutral qualifier ("?") for > public sources might also be added. > > To further this discussion, please define "public sources", compare and contrast that definition to the definition of "private sources", and then describe which sources are "trusted" and by whom. -- *Todd Herr * | Technical Director, Standards & Ecosystem *e:* todd.h...@valimail.com *p:* 703-220-4153 *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
[dmarc-ietf] Another point for SPF advice
Hi, in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last sentence says: The SPF record SHOULD be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain. As we learnt, an SPF pass verdict has to be granted to /trusted/ sources only. An additional phrase about using the neutral qualifier ("?") for public sources might also be added. Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc