What problem are you purporting to solve? By problem, I mean a case were a bad actor can get a DMARC pass result if SPF HELO results are allowed to be used that they couldn't already get with a mail from result.
I don't think such a case exists which is why I think this entire line of argument is a waste of time. Scott K On Thursday, February 11, 2021 6:35:49 AM EST Douglas Foster wrote: > Applying SPF to DMARC could become out of scope, if we choose to remove SPF > from DMARC and make it dependent only on DKIM. Until then, we need to > have a shared understanding of how SPF is applied. This question asks > whether that shared understanding exists. > > SPF involves two tests, which can be used together. This WG can insist > that for DMARC purposes, only one can be used: > > "When the sender is not null, DMARC-evaluation only considers the SPF > evaluation of the MAILFROM Address. SPF evaluation of HELO MUST NOT be > considered for DMARC purposes." > > This wording seems implied by the current language, and by those who want > to leave it untouched. Implication is different from specification, so our > document should make this explicit. Unfortunately, an explicit MUST NOT > requirement is hard to justify. When two domains are involved, and both > domains have published policy information, what justification exists for > ignoring some of the available security-related information? > > If we back away from MUST NOT, then we have to consider that some > recipients MAY evaluate SPF HELO and SPF MAILFROM together, just as the SPF > RFC expected them to be used, and as outlined in one of my examples. If > some recipients MAY evaluate HELO, then senders SHOULD take care to ensure > that HELO will generate a PASS. Our language becomes something like this: > > "When the sender is not null, DMARC-evaluation always uses the SPF > evaluation of the MAILFROM Address. Some recipients may evaluate SPF HELO > as well. To maximize recipient trust, senders SHOULD publish an SPF > policy which ensures that both MAILFROM and HELO will produce SPF PASS > results." > > DF > > On Wed, Feb 10, 2021 at 6:29 PM Dave Crocker <[email protected]> wrote: > > On 2/10/2021 3:24 PM, Douglas Foster wrote: > > > Huh? Are you asserting that SPF MAILFROM and SPF HELO are > > > interchangeable? They are not, but they can work together. > > > > Perhaps I misread, but I thought I saw that this really is out of scope > > for this working group. > > > > > > d/ > > > > -- > > Dave Crocker > > [email protected] > > 408.329.0791 > > > > Volunteer, Silicon Valley Chapter > > American Red Cross > > [email protected] _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
