Re: [dmarc-ietf] Should we encourage the use of SPF "soft include" for common platforms?

Tim Wicinski <> Sat, 23 February 2019 18:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 93F7A130DE9; Sat, 23 Feb 2019 10:39:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FdnC2HRpRdMU; Sat, 23 Feb 2019 10:39:15 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DFDDD12008F; Sat, 23 Feb 2019 10:39:14 -0800 (PST)
Received: by with SMTP id p18so4455271ioh.5; Sat, 23 Feb 2019 10:39:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4xHEsg0hs5sFBAHveQfbBLV0VSwGDNlzUYLi6wI0yxg=; b=RHfpVJyokNw9hpu5ZaNNQ54jjx5uLeFxEFcn43m/kmMbchPBlWGFUiJ6/TjMAKuM4n rA5smKUwhaYFrLiuygOrx+uJWk/BMh/luTFnXOhvileGQUh5YZrf2SiMMx7phsWEWpuk iekGa3Y92LMXU8D4wCQT/Sf/VuulQdKSoycPrIkLfSOWSnMbOLw7v4+uxJR67qlxul+z S6YFGn5xN/5yvqbphC9qfzwI1mnwWOZvMEfP45FOlQe9Q09vhvKzGk//9RqJHtWjfRpg ds1SSh2zklptLI7uGa2kGNGSS0NOkqtU8RNzdRV+RMSjXm/o38R1tlE2VI3OEaK/bJ/Y e5Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4xHEsg0hs5sFBAHveQfbBLV0VSwGDNlzUYLi6wI0yxg=; b=sxL4Wx7iB1KbFanRUS6xSE+f0jE8eeA1b8xE9AB8qVHtM5J/NTcuybcS7lMc+Y6IpN DmvgffPOU+ihj+ZhHTf5BInUzCzVb7/dqDSFjHaJNK7mZX1/FdkxKkvQ9WRvJcSEGU6Z 88KfCOeMIIZzm/0Obd7pgDLn0iqjxCIF0VI8njffowPYTmVpoWC2J0e159za/gl07Ca4 mHgc+NkT6+wTf/QCbaVGWjkH+jeIpqEkSgyMZ5wM7u9PYqpzq8v8NeKgwSOW7WyQNTYD 5to0Xi4/lBXmK23unq71GATvflEVklQtZfnUwajZpgPzcGWo0QR6G1DRnihCFc3dGY96 I6tw==
X-Gm-Message-State: AHQUAubOUlwuGn9nffi7nwJbah/sHlJv+tq0CaXe2cwWOOhAI2kfZ5lp zwBQnp55o82Qz9xyHEPRfcaqJ0pxZM/OuWxd968=
X-Google-Smtp-Source: AHgI3IYCCjORNnROjuuO+2kdpF7RTWSs4qhZeCcDU82leDABKU8c7YdNy0MWCbSTziffn9SKoMkpjZaMLh0wxmuxAQM=
X-Received: by 2002:a5e:8d0e:: with SMTP id m14mr5909049ioj.30.1550947153771; Sat, 23 Feb 2019 10:39:13 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Tim Wicinski <>
Date: Sat, 23 Feb 2019 13:39:02 -0500
Message-ID: <>
To: "Kurt Andersen (b)" <>
Cc: "" <>,
Content-Type: multipart/alternative; boundary="0000000000002a814d05829406cf"
Archived-At: <>
Subject: Re: [dmarc-ietf] Should we encourage the use of SPF "soft include" for common platforms?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Feb 2019 18:39:18 -0000


This is pretty interesting.  I've been assisting several teams as we have
been (very) slow rolling the DMARC policy out of reporting through
quarantine into reject. They been pulling all the disparate teams into
deploying DKIM, but I was pointing out they have been guessing on who is
using DKIM vs. being in our datacenter (and thus our SPF records).
Doing the ?include would assist especially on operational type deployments.


On Sat, Feb 23, 2019 at 1:08 PM Kurt Andersen (b) <> wrote:

> With the growth of huge platforms that emit mail from the same common set
> of IPs (such as GSuite, O365, or large ESPs), regular SPF "include" ends up
> granting a DMARC pass to a lot more potential authors than most
> organizations would necessarily choose to grant.
> Instead of using the standard "(+)include:" approach, if domain owners
> used "?include:" as their mechanism, then that would prevent the SPF result
> from granting a DMARC PASS result when traffic is coming from one of these
> massively included platforms. It would essentially force the DMARC result
> to be driven only by the DKIM evaluation.
> Thoughts?
> --Kurt Andersen
> (I'm copying the spfbis list too because there may be folks lurking there
> who are not on the DMARC list)
> _______________________________________________
> dmarc mailing list