> On Sep 14, 2023, at 10:39 AM, Murray S. Kucherawy <superu...@gmail.com> wrote: > > On Wed, Sep 13, 2023 at 6:01 PM Douglas Foster > <dougfoster.emailstanda...@gmail.com > <mailto:dougfoster.emailstanda...@gmail.com>> wrote: >> >> The coverage problem is aggravated if we assume rational attackers. With a >> plethora of domains available for impersonation, attackers are least likely >> to use domains that are protected with p=reject. Therefore the reference >> model implementation protects an evaluator where attacks are least likely, >> and fails to protect an evaluator where attacks are most likely. > > So you're saying DMARC fails to protect domains that don't set "p=reject"? > That claim has the appearance of a tautology. >
Firs, I agree with your thoughts here. I always considered these new DNS-based Apps that offered policies, their highest payoff is the most restrictive policy, the partials policies like SPF soft fail or unknown policies or DMARD p=none policies is technically overhead and redundancy if every query is always a “well I don’t know” do what you wish. DNS and processing overhead. The highest payoff for SPF is -ALL and then highest payoff for DMARC is p=reject despite its faulty authorization or restrictive algorithm, All the best, Hector Santos
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc