I hope this would be a consideration as a fix or method to address the
problem with DMARC's p=reject restrictive policy for 3rd party
signers, including mailing list.
Please correct any misunderstanding with the DMARC draft I may have.
DMARC by definition requires alignment for matching domains. An
adkim=s (strict) is an exact match and adkim=r (relaxed) means
sub-domains are allowed.
From what I see, there is no 3rd party allowance and the only things
that saves you is p=none or p=quarantine.
If the DMARC draft is locked down, I would like to propose an
extension. Section 3.1.4.3 talks about authentication extensions:
3.1.4.3. Alignment and Extension Technologies
If DMARC is extended to include the use of other authentication
mechanisms, the extensions will need to allow for domain identifier
extraction so that alignment with the RFC5322.From domain can be
verified.
This would be a simple first step consideration -- A new ATPS tag
atps=0 default, extension disabled allowed backward compatibility.
atps=1 Valid alignment allows a valid 3rd party signature (no checks).
atps=2 Valid alignment allows a valid 3rd party signature with ATPS
(Authorized 3rd Party Signer) checking, RFC6541.
atps=1 basically declares a relaxed MUST SIGN policy. atps=2 means
the 3rd party signer must be authorized using RFC6541. Pete Resnick
is exploring a May-Resign protocol idea, so we add
an option for it.
atps=3 Valid alignment allows a valid 3rd party signature using
the May-Resign header method.
--
HLS
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
