Hi Sebastian, > I think SPF / DKIM is more of a suitable method of verifying authenticity > for mails, since these can be verifyed automatically by most email server > software without any plugins.
For servers yes, but for email clients the opposite is true. Most clients already automatically verify S/MIME. DKIM could be done in the client but SPF is particularly hard to do in a client. > Ergo, a CA **MUST** support SPF as validation method [...] > And a CA **MAY** also support DKIM Why this strong preference for SPF over DKIM? SPF isn't compatible with regular email forwarding and thus creates a lot of problems. See for example https://blog.fastmail.com/2016/12/24/spf-dkim-dmarc/ for details. I recommend my customers to only use DKIM and not use SPF at all because of this. > and/or SMIME as validation method both > for sending I think the main point here is if we want to force clients to support full MIME decoding including S/MIME or not. Making this decision a MAY isn't good practice, as an ACME client without a full MIME parser will just stop to work once the CA decides to activate S/MIME. Also mail filtering gateways then can't rely on the kind of signing a CA does on the challenge mails. > For gateway filtering, I suggest that a couple of static adresses is > reserved for this purpose: > acme @ [ca_domain_name].[tld] yes, good idea. Kind regards, Gerd _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
