On Thursday, March 14, 2024 11:44:22 AM EDT Todd Herr wrote: > Colleagues, > > Issue 135 is open for the subject topic. Please add your thoughts to this > thread and/or to the issue in Github. > > Thank you.
I'd suggest we discuss where to say it first. I think the right place is security considerations, which starts: 11. Security Considerations This section discusses security issues and possible remediations (where available) for DMARC. I think there are two, related questions here: One is the risk associated with which I'll call a false pass from one of the underlying authentication mechanisms. The other is the risk associated with using DMARC results for positive associations (as BIMI does). Even absent third party considerations, all it takes is one compromised user account and forged messages can get a DMARC pass. DMARC was designed to identify "bad" mail, not certify any kind of goodness. I think both of these should be addressed as part of this issue in Security Considerations. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc