Apologies for being late to this thread and possibly rehashing things. I definitely think DMARC and DKIM2 should co-exist and complement each other, as DMARC provides a policy declaration mechanism while DKIM2 provides an authentication mechanism.
On Fri, Mar 21, 2025 at 7:41 AM Todd Herr <todd= 40someguyinva....@dmarc.ietf.org> wrote: ... > > So, assuming a future world where a DKIM2 specification includes the text > "Mail Receivers SHOULD reject any message that fails DKIM2 validation" or > similar, and DKIM2 is widely adopted by mailbox providers and MTA vendors, > I have some questions about that world: > > - Why would a Mail Receiver accept a message that fails DKIM2 > validation? > > If a receiver believes that DKIM2 validation has operational limitations. Unfortunately this is something we might discover post-deployment. > > - Why would a Domain Owner publish a DMARC policy record when it's > sending mail that is DKIM2-signed? > > It allows a sender to declare that a message has been authenticated by one of the DMARC sanctioned methods, and messages purporting to be from that domain shall have authentication i.e. one or both SPF or DKIM and hopefully in the future DKIM2. For receivers, detecting a message might have originated with SPF authentication is not too hard though any forwarding will benignly remove such authentication. However, for DKIM and DKIM2, it's much harder due to selectors. DMARC provides a central location to say messages from this domain are authenticated. (Aside, the ability for a sender to more specifically declare what authentication they provide is a missed opportunity for DMARC). This is in addition to reasons that other folks have already mentioned: reporting and knowing when a sender wants to soften handling an inauthentic message. > > - What would anyone hope to gain by issuing or consuming DMARC reports > showing messages that failed DKIM2 validation but were accepted in spite of > such failure? > > Once there are known false positives those reports may help debug them. -Wei
_______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
