toddherr
commented
7 months ago Text updated and committed to working branch.
Closed toddherr closed 7 months ago
toddherr
commented
7 months ago Text updated and committed to working branch.
There has been concern expressed on list about the use of SHOULD when perhaps MUST would be better, especially in the subject sections.
The current text of section 5.5.1, Publish and SPF Policy for an Aligned Domain, reads:
Because DMARC relies on SPF [[RFC7208](https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/new#RFC7208)] and DKIM [[RFC6376](https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/new#RFC6376)], in order to take full advantage of DMARC, a Domain Owner SHOULD first ensure that SPF and DKIM authentication are properly configured. As a first step, the Domain Owner SHOULD choose a domain to use as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail, one that aligns with the Author Domain, and then publish an SPF policy in DNS for that domain. The SPF record SHOULD be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domainProposed new text:
`Because DMARC relies on SPF [RFC7208] and DKIM [RFC6376], in order to take full advantage of DMARC, a Domain Owner MUST first ensure that either SPF or DKIM authentication are properly configured, and SHOULD ensure that both are.
To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail that aligns with the Author Domain, and then publish an SPF policy in DNS for that domain. The SPF record MUST be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain.`
In addition, the last paragraph in section 5.5.2, Configure Sending System for DKIM Signing Using an Aligned Domain, reads:
The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d= domain in the DKIM-Signature header) that aligns with the Author Domain.Proposed new text:
To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing domain (i.e., the d= domain in the DKIM-Signature header) that aligns with the Author Domain.