Re: [dmarc-ietf] Another point for SPF advice
On 08/03/2024 18:45, Hector Santos wrote: I believe it is correct, SHOULD strive to trusted known sources. The final mechanism SHOULD be one of (hard) failure. This is what we (ideally) strive for. I believe anything weaker is a waste of computational resources, causes confusion using neutral or even soft fails especially with repeated transactions. A compromise seems to be to set neutral/ softfail for forwarded messages. You don't want them to be blocked, but neither you want to blindly grant occasional forwarders to originate mail with your domain name. That's not optimal. Forwarding should be fixed, e.g. by establishing streams at both sides. Another other case is for mailbox providers which don't filter against cross-domain abuse. In this case, the optimal solution is to choose better providers. Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
I believe it is correct, SHOULD strive to trusted known sources. The final
mechanism SHOULD be one of (hard) failure. This is what we (ideally) strive
for. I believe anything weaker is a waste of computational resources, causes
confusion using neutral or even soft fails especially with repeated
transactions.
All the best,
Hector Santos
> On Mar 5, 2024, at 9:29 AM, Alessandro Vesely wrote:
>
> Hi,
>
> in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last
> sentence says:
>
> The SPF record SHOULD be constructed
> at a minimum to ensure an SPF pass verdict for all known sources of
> mail for the RFC5321.MailFrom domain.
>
> As we learnt, an SPF pass verdict has to be granted to /trusted/ sources
> only. An additional phrase about using the neutral qualifier ("?") for
> public sources might also be added.
>
>
> Best
> Ale
> --
>
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
On 05/03/2024 17:07, Scott Kitterman wrote:
On March 5, 2024 3:46:39 PM UTC, Alessandro Vesely wrote:
Todd Herr writes:
On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely wrote:
in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last
sentence says:
The SPF record SHOULD be constructed
at a minimum to ensure an SPF pass verdict for all known sources of
mail for the RFC5321.MailFrom domain.
As we learnt, an SPF pass verdict has to be granted to /trusted/ sources
only. An additional phrase about using the neutral qualifier ("?") for
public sources might also be added.
To further this discussion, please define "public sources", compare and
contrast that definition to the definition of "private sources", and then
describe which sources are "trusted" and by whom.
*public sources* is a set of IP addresses used by an operator who sends mail on
behalf of its customers, not by assigning different addresses to different
customers, but according to whatever other criteria which mixes them up.
*private sources* are IP addresses in exclusive use by a domain.
A public source can be *trusted* by its customers if it reliably filters
outgoing mail by ensuring that messages sent by a given customer contain From:
domains owned by that customer.
That's obviously too long to go on the I-D. The point has to be expressed in
one or two sentences. Certainly, we cannot recommend an insecure practice.
Maybe something like trusted to prevent cross user forgery with a link to RFC
7208 11.4 (which explains what that means).
I like that wording. However, when we talk of an ISP's user, it is
actually a domain. So perhaps:
The SPF record SHOULD be constructed
at a minimum to ensure an SPF pass verdict for all known sources of
mail for the RFC5321.MailFrom domain that are trusted to prevent
cross-domain forgeries.
Possibly, a wider paragraph, with an example of using qualifiers with
the include mechanism can be given in Section 8.1.
Best
Ale
--
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
On March 5, 2024 3:46:39 PM UTC, Alessandro Vesely wrote:
>Todd Herr writes:
>> On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely wrote:
>>
>>> in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last
>>> sentence says:
>>>
>>> The SPF record SHOULD be constructed
>>> at a minimum to ensure an SPF pass verdict for all known sources of
>>> mail for the RFC5321.MailFrom domain.
>>>
>>> As we learnt, an SPF pass verdict has to be granted to /trusted/ sources
>>> only. An additional phrase about using the neutral qualifier ("?") for
>>> public sources might also be added.
>>
>> To further this discussion, please define "public sources", compare and
>> contrast that definition to the definition of "private sources", and then
>> describe which sources are "trusted" and by whom.
>
>
>*public sources* is a set of IP addresses used by an operator who sends mail
>on behalf of its customers, not by assigning different addresses to different
>customers, but according to whatever other criteria which mixes them up.
>
>*private sources* are IP addresses in exclusive use by a domain.
>
>A public source can be *trusted* by its customers if it reliably filters
>outgoing mail by ensuring that messages sent by a given customer contain From:
>domains owned by that customer.
>
>That's obviously too long to go on the I-D. The point has to be expressed in
>one or two sentences. Certainly, we cannot recommend an insecure practice.
>
Maybe something like trusted to prevent cross user forgery with a link to RFC
7208 11.4 (which explains what that means).
Scott K
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
Todd Herr writes:
On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely wrote:
in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last
sentence says:
The SPF record SHOULD be constructed
at a minimum to ensure an SPF pass verdict for all known sources of
mail for the RFC5321.MailFrom domain.
As we learnt, an SPF pass verdict has to be granted to /trusted/ sources
only. An additional phrase about using the neutral qualifier ("?") for
public sources might also be added.
To further this discussion, please define "public sources", compare and
contrast that definition to the definition of "private sources", and then
describe which sources are "trusted" and by whom.
*public sources* is a set of IP addresses used by an operator who sends
mail on behalf of its customers, not by assigning different addresses to
different customers, but according to whatever other criteria which mixes
them up.
*private sources* are IP addresses in exclusive use by a domain.
A public source can be *trusted* by its customers if it reliably filters
outgoing mail by ensuring that messages sent by a given customer contain
From: domains owned by that customer.
That's obviously too long to go on the I-D. The point has to be expressed
in one or two sentences. Certainly, we cannot recommend an insecure
practice.
Best
Ale
--
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Another point for SPF advice
On Tue, Mar 5, 2024 at 9:30 AM Alessandro Vesely wrote:
> Hi,
>
> in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last
> sentence says:
>
> The SPF record SHOULD be constructed
> at a minimum to ensure an SPF pass verdict for all known sources of
> mail for the RFC5321.MailFrom domain.
>
> As we learnt, an SPF pass verdict has to be granted to /trusted/ sources
> only. An additional phrase about using the neutral qualifier ("?") for
> public sources might also be added.
>
>
To further this discussion, please define "public sources", compare and
contrast that definition to the definition of "private sources", and then
describe which sources are "trusted" and by whom.
--
*Todd Herr * | Technical Director, Standards & Ecosystem
*e:* todd.h...@valimail.com
*p:* 703-220-4153
*m:* 703.220.4153
This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
[dmarc-ietf] Another point for SPF advice
Hi,
in section 5.5.1, Publish an SPF Policy for an Aligned Domain, the last
sentence says:
The SPF record SHOULD be constructed
at a minimum to ensure an SPF pass verdict for all known sources of
mail for the RFC5321.MailFrom domain.
As we learnt, an SPF pass verdict has to be granted to /trusted/ sources
only. An additional phrase about using the neutral qualifier ("?") for
public sources might also be added.
Best
Ale
--
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
