Kurt This is pretty interesting. I've been assisting several teams as we have been (very) slow rolling the DMARC policy out of reporting through quarantine into reject. They been pulling all the disparate teams into deploying DKIM, but I was pointing out they have been guessing on who is using DKIM vs. being in our datacenter (and thus our SPF records). Doing the ?include would assist especially on operational type deployments.
Tim On Sat, Feb 23, 2019 at 1:08 PM Kurt Andersen (b) <[email protected]> wrote: > With the growth of huge platforms that emit mail from the same common set > of IPs (such as GSuite, O365, or large ESPs), regular SPF "include" ends up > granting a DMARC pass to a lot more potential authors than most > organizations would necessarily choose to grant. > > Instead of using the standard "(+)include:" approach, if domain owners > used "?include:" as their mechanism, then that would prevent the SPF result > from granting a DMARC PASS result when traffic is coming from one of these > massively included platforms. It would essentially force the DMARC result > to be driven only by the DKIM evaluation. > > Thoughts? > > --Kurt Andersen > > (I'm copying the spfbis list too because there may be folks lurking there > who are not on the DMARC list) > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
