On Fri, Mar 15, 2024 at 1:47 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> DMARC is an imperfect tool, as evidenced by the mailing list problem, > among others. DMARCbis has failed to integrate RFC7489 with RFC 7960, > because it provides no discussion of the circumstances where an evaluator > should override the DMARC result. I believe DMARCbis needs a discussion > about the appropriate scope and characteristics of local policy. > > > I disagree with your premise, and I submit that it is not the role of the IETF, DMARCbis, or any third party to determine either characteristics or appropriate scope for a policy that is local to a Mail Receiver. A Mail Receiver's goal is to make sure that its mailbox holders receive wanted mail while minimizing the amount of unwanted mail that's accepted, and how they work to achieve that goal is solely their purview. DMARC authentication results can and probably do inform their work, but they're just one piece of data for doing so. Their work will also be informed by many other data points, some of which we know (historical mailbox holder engagement with a given mail stream) and some of which we don't know, and they adjust their handling decisions all the time based on whatever signals they deem important. I believe that this paragraph in the Introduction section of DMARCbis concisely describes DMARC to Mail Receivers: A DMARC pass indicates only that the RFC5322.From domain has been authenticated for that message. Authentication does not carry an explicit or implicit value assertion about that message or about the Domain Owner. Furthermore, a mail-receiving organization that performs DMARC verification can choose to honor the Domain Owner's requested message handling for authentication failures, but it is not required to do so; it might choose different actions entirely. I further believe that the description of the 'p' tag and of its possible values of 'none', 'quarantine', and 'reject' in section 5.3, General Record Format, are enough to help the Mail Receiver understand how reliable the Domain Owner believes its authentication practices to be and, along with everything else the Mail Receiver knows about the sending domain, the source of the mail stream, etc., etc., how much weight can be assigned to a failed DMARC authentication result for that domain. -- Todd Herr | Technical Director, Standards & Ecosystem Email: todd.h...@valimail.com Phone: 703-220-4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc