Of course, it is my decision to authorize an ESP to send domain authenticated email on my domain's behalf. But I don't think it is currently very transparent for what I am signing up to? It is a carte blanche. All or nothing, for this particular (sub-) domain.
I feel that it is still my job to follow up if they are doing a good job with (i.e.): - verifying each individual From address. - requiring multi-factor auth. - providing domain admin notifications (for me to learn which of my users is responsible for a particular campaign). - alerting users if a domain that they are attempting to send from is DMARC protected while authentication mechanisms are not yet in place. Did anyone create a list of security features supported by various ESPs? Some seem to be focusing on a simple signup-process with very little verification. With those, it literally takes a single mouse click from any of my users to send from any local-part of my domain - forever. I am feeling a bit uneasy including their DKIM key & SPF record just to "get this DMARC green". I'd rather not. Any pointers? Simon _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
