Douglas Otis writes: > There are many cases that are never originally signed by the DMARC > domain. Such as an accounting package that sends out invoices on > behalf of some company that wants their email address in the From > header since this is what their customers will recognize.
I don't understand this example. This use case seems quite compatible with DMARC as it is. That is, company and accountant should have a substantial and expensive to maintain trust relationship already. I would think that the company could (a) provide an alias (subdomain) in its own domain for the accountant's host, and advertise the accountant's policy via _dmarc.invoices.example.com, or (b) maintain an authenticated channel (ie, special purpose VPN) direct to a special host under its own control in its own domain for the accountant to relay through, and the company signs there. Sure, there'd be some additional cost, but not prohibitive. Note that in either case the client can fire the accountant in an instant by changing the DNS or shutting down the authenticated channel. > > I suspect that many parties that implement DMARC are "cheating" > > by allowing things that look like mailing list or forwarded mail > > through even if they fail auth and the domain is p=REJECT. > > Providing a higher bar for when to "cheat" may be useful, then. > The hurdle that seems to be in everyone's mind is how to go about > facilitating feedback that is not a lot of work. Again, I seem to require an additional clue. DMARC feedback is working fine AFAICS. It may be costly, and we want to reduce those costs, of course. But "p=reject" OTOH is a more or less legitimate denial of service, a completely different issue. Are you talking about a different kind of feedback? Steve _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
