> In theory, DKIM is enough for DMARC (this was always true), but in practice it > is not.
May be you can afford to use SPF, DKIM, DMARC in pure theory for your day job, but people here expect to apply it to solve real problems with real email in real life. *SCNR* ... do not take that personally. > I don't think there's evidence of a systemic weakness in the protocol. We've > seen evidence of poor deployment of the protocol for SPF, but I think the > solution is to fix that (see the separate thread on data hygiene). The problem with DMARC is, there's no easy way to decide you can rely on SPF as long as it references shared IP infrastructure (because you can't decide whether an IP is shared or dedicated). In my view this is a tremendous weakness of the SPF protocol. (maybe only 'cause I do not trust shared infrastructure providers to get their customers right all the time, 'cause I know how hard that is from being an ISP mailer) So to remove or at least ignore SPF from DMARC is minimal requirement for DMARC being worth mentioning supportive of sender authentication at all. Meanwhile it's a pretty viable attack vector against DMARC, foiling the idea of sender authentication. Florian _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
