[dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)

[Todd Herr <todd.herr@valimail.com>]

Colleagues,

After reviewing the "Another point SPF advice" thread and Murray's separate
post re: SHOULD vs. MUST, I have opened issue 132 on the topic:

The current text of section 5.5.1, Publish and SPF Policy for an Aligned
Domain, reads:

==================================================
Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376]], in order to
take full advantage of DMARC, a Domain Owner SHOULD first ensure that SPF
and DKIM authentication are properly configured. As a first step, the
Domain Owner SHOULD choose a domain to use as the RFC5321.MailFrom domain
(i.e., the Return-Path domain) for its mail, one that aligns with the
Author Domain, and then publish an SPF policy in DNS for that domain. The
SPF record SHOULD be constructed at a minimum to ensure an SPF pass verdict
for all known sources of mail for the RFC5321.MailFrom domain`
==================================================

In the ticket, I propose the following replacement text:

==================================================
Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to
take full advantage of DMARC, a Domain Owner MUST first ensure that either
SPF or DKIM authentication are properly configured, and SHOULD ensure that
both are.

To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as
the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail
that aligns with the Author Domain, and then publish an SPF policy in DNS
for that domain. The SPF record MUST be constructed at a minimum to ensure
an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom
domain.
==================================================

In addition, the last paragraph in section 5.5.2, Configure Sending System
for DKIM Signing Using an Aligned Domain, reads:

==================================================
The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d= domain
in the DKIM-Signature header) that aligns with the Author Domain.
==================================================

In the ticket, I propose the following new text:

==================================================
To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing
domain (i.e., the d= domain in the DKIM-Signature header) that aligns with
the Author Domain.
==================================================

Further notes on the threads that gave rise to this ticket:

   - I do not believe that recommending the use of the ? modifier in an SPF
   record configured for DMARC is appropriate, since as I understand the ?
   modifier, the result produced is not "pass", but rather "neutral", which is
   the same as "none". Therefore, an SPF record using ? would not produce an
   aligned pass to be used with DMARC. I am willing to be convinced that I'm
   wrong here.
   - That said, I think there is room for discussion of too-permissive SPF
   records and the  cross-user forgery discussed in RFC 7208 Section 11.4, and
   I will open a separate issue for that to expand on section 8.1


-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.herr@valimail.com
Phone: 703-220-4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.