Hector Santos writes: > [Mail From: a domain under .INVALID] is not legitimate mail per the > proposed security protocol.
Sorry, in this subthread, "legitimate", as used by Franck and myself, means "delivery desired by the addressee". If you want to insist on a different definition, go ahead, but that's very rude to the previous posters and confuses other readers. Nor does DMARC say it's nonconforming; in fact, it automatically passes identity alignment, because there's nobody who is allowed to create domains under .invalid, so there can be no _dmarc.x.y.invalid. I suppose it's nonconforming to RFC 5322, but I wouldn't reject mail merely because From contains a mailbox at an invalid domain. Of course you can do what you want in your domain. Like you, I think it violates the spirit of the security protocol -- but so do all mitigations that preserve the address in From in such a way as to indicate that is the mailbox of the author, and so lend the message whatever prestige the author may have with the recipient. Such mitigations are clearly desired by the users of mailboxes at AOL and Yahoo!, and some such mitigation recommended (and in the case of Yahoo!, practiced) by the ESPs publishing "p=reject". You can take a letter-of-the-law stance (I believe you do), and as far as I can tell that means banning those domains from your lists (unless the lists preserve signatures). But that's not acceptable to our users. > The problem and conversation should be focused on resolving the 9 > years old mail integration dilemma -- the dearth of resigners not > wanting to check for bad DKIM-secured transactions via a policy > layer protocol. Keep in mind that the suggested rewrite > applicability for p=reject domains implies that a DNS lookup is > presumed to be part of the DKIM framework. If we can get to that > level, we are home free. But unfortunately, the concept has been > killed by the IETF when it decided to make ADSP historic. DMARC resurrected the concept of a DNS lookup to discover policy, no? But I don't think it's as easy as you say. It may be trivial to publish records authorizing third parties to sign message with your mailboxes in From:, but I doubt it will be done, at least not for the thousands of tiny lists out there with no personal contact with the big ESPs. _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc