Alessandro Vesely writes:
> On Mon 02/Dec/2024 03:49:31 +0100 Tero Kivinen wrote:
> > Richard Clayton writes:
> >> (b) some small mailbox providers believe in the value of SPF to do
> >> early stage filtering of mailflows and may penalise your domain for
> >> not having any SPF at all.
> >
> > Doing early SPF filtering is against DMARCbis document, as DMARCbis
> > document do require checking both DKIM and SPF, and those who do early
> > filtering of the emails based on the SPF, usually do it before
> > actually seeing the email, thus they do not even know if the emails
> > have DKIM headers or not.
>
> I don't think so. There are several things that can occur to prevent
> message reception besides SPF, including DNSBLs. DMARC protocol
> begins /in case/ a message is received. Discarded messages don't
> count.
And all of those things are outside the scope of DMARCbis, thus they
can be ignored when we are talking with DMARCbis.
> > Anybody doing early stage filtering of mailflows based on the SPF, and
> > not checking DKIM is not following the DMARCbis document, thus they
> > are out of scope of the DMARCbis discussion.
>
>
> Issue #66 "Describe what it means to have implemented DMARC #14" eventually
> resulted in Appendix C.6. There is no DMARC medal.
Yes, and the point being? If you claim to support DMARCbis RFC after
it has been published, you need to support all MUSTs it lists.
Those MUSTs include:
For domain owner:
5.1.1. Publish an SPF Record for an Aligned Domain
To configure SPF for DMARC, the Domain Owner MUST send mail that has
an RFC5321.MailFrom domain that will produce an SPF-Authenticated
Identifier (#spf-identifiers) that has Identifier Alignment
(#identifier-alignment-explained) with the Author Domain.
and
5.1.2. Configure Sending System for DKIM Signing Using an Aligned
Domain
To configure DKIM for DMARC, the Domain Owner MUST send mail that has
a DKIM Signing Domain (#dkim-signing-domain) that will produce a
DKIM-Authenticated Identifier (#dkim-identifiers) that has Identifier
Alignment (#identifier-alignment-explained) with the Author Domain.
In version -30 it was clear that recipient also needs to check both
DKIM and SPF before it finishes DMARC processing (old section 5.7.2),
but it seems that text was removed / changed in version -31, but I
assume the text:
5.3.3. Determine If Authenticated Identifiers Exist
For each Authentication Mechanism underlying DMARC, perform the
required check to determine if an Authenticated Identifier
(#authenticated-identifier) exists for the message if such check has
not already been performed.
is trying to say that all mechanisms (DKIM and SPF) needs to be
supported, even when it does not say MUST.
> > You are allowed to do SPF only separately. You are not allowed to do
> > SPF only when you claim to do DMARCbis.
>
> What would one claim to do DMARCbis for?
There is lots of places which have requerment for supporting DMARC
now, and I want to make sure that when DMARCbis gets added to those
lists, implementations claiming to support DMARCbis do what DMARCbis
says, and do support DKIM at least (there are lots of currently
deployed systems claiming to do DMARC and only have SPF in use).
I would be quite happy to only require DKIM, but people wanted to keep
support for SPF also.
> > I think the current document is clear about that, but perhaps we
> > should make it even more obvious, and explicitly say so.
>
> Section 7.1, "Issues Specific to SPF" is very esplicative. Normatively, it
> just says that domain owners should (lowercase) be aware of this.
>
> Personally, I publish "?exists:%{ir}.list.dnswl.org -all" and on
> reception whitelist as specified in Appendix D of RFC 7208. It works
> decently well for me.
--
[email protected]
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
