I’ve talked about this before. I ran into a utility company that I conversed with that explicitly didn’t want to use DKIM because they felt their messages should not be forwarded to another provider. I didn’t quite understand the logic, but it was their decision.
I definitely favor some language that endorses using both and perhaps even outlines the pitfalls of using only one (can’t forward, both gives you a better chance of success, etc) -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: dmarc <[email protected]> On Behalf Of Barry Leiba Sent: Thursday, April 13, 2023 12:44 PM To: Dotzero <[email protected]> Cc: Todd Herr <[email protected]>; John Levine <[email protected]>; [email protected]; [email protected] Subject: Re: [dmarc-ietf] Signaling forwarders, not just MLMs We can say that as well, but I want to specifically say "don't use SPF without DKIM and expect it to work right;" b On Thu, Apr 13, 2023 at 12:41 PM Dotzero <[email protected]<mailto:[email protected]>> wrote: On Thu, Apr 13, 2023 at 12:19 PM Barry Leiba <[email protected]<mailto:[email protected]>> wrote: Maybe just add a sentence to the end of the second paragraph: The use of SPF alone, without DKIM, is strongly NOT RECOMMENDED. Barry I think the opposite. Something along the lines of "Sending domains SHOULD implement both SPF and DKIM to minimize breakage and non-delivery of mail. Michael Hammer On Thu, Apr 13, 2023 at 12:04 PM Todd Herr <[email protected]<mailto:[email protected]>> wrote: On Thu, Apr 13, 2023 at 11:21 AM Barry Leiba <[email protected]<mailto:[email protected]>> wrote: > Anyone who does forwarding is damaged by DMARC because there are a lot of > people who do DMARC on the cheap with SPF only. This brings up another issue, I think: that there should also be stronger advice that using DKIM is critical to DMARC reliability, and using SPF only, without DKIM, is strongly NOT RECOMMENDED. I don't disagree. How do we make the following text stronger? 5.5.2. <https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html*section-5.5.2__;Iw!!CQl3mcHX2A!H87wu6y3e2soX0zP84RFzpVkIns3srnOJHF_OvVIcO6eY0hUFqSYNPCI4pxutzABuCuQJXNB9Xigw7eeIIoCVigM0w$> Configure Sending System for DKIM Signing Using an Aligned Domain<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html*name-configure-sending-system-fo__;Iw!!CQl3mcHX2A!H87wu6y3e2soX0zP84RFzpVkIns3srnOJHF_OvVIcO6eY0hUFqSYNPCI4pxutzABuCuQJXNB9Xigw7eeIIpXBM2lNg$> While it is possible to secure a DMARC pass verdict based on only one of SPF or DKIM, it is commonly accepted best practice to ensure that both authentication mechanisms are in place to guard against failure of just one of them. This is particularly important because SPF will always fail in situations where mail is sent to a forwarding address offered by a professional society, school or other institution, where the address simply relays the message to the recipient's current "real" address. Many recipients use such addresses and with SPF alone and not DKIM, messages sent to such users will always produce DMARC fail. The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d= domain in the DKIM-Signature header) that aligns with the Author Domain. -- Todd Herr | Technical Director, Standards and Ecosystem e: [email protected]<mailto:[email protected]> m: 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. _______________________________________________ dmarc mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/dmarc<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dmarc__;!!CQl3mcHX2A!H87wu6y3e2soX0zP84RFzpVkIns3srnOJHF_OvVIcO6eY0hUFqSYNPCI4pxutzABuCuQJXNB9Xigw7eeIIrbx80Ukg$>
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
