J. Gomez writes: > On Wednesday, June 04, 2014 9:34 PM [GMT+1=CET], John R Levine wrote:
> > > Obfuscating the domain is quite suspicious because then, what > > > entity is taking responsibility for that email? What abuse > > > help-desk can the potential receiver recourse to? > > > > The one whose DKIM signature is on the mail, of course. Sigh. > > But DKIM signatures are not mandatory, not even to be able to get a > pass in DMARC checking. If there's no DKIM signature, John's rule doesn't apply, and you fall back to whatever your rule for unsigned mail is. Seriously, you guys have to give up on the idea that the whole world will follow arbitrarily strict protocols just because it makes spam fighting simpler. If a big ESP tries to impose them on receipt, and the users don't receive their mail, the users will vote with their feet and the ESP will cave. Conversely, if you try to impose them and a big ESP finds them inconvenient, the ESP will disobey (just as AOL and Yahoo! have done, implicitly, with "p=reject"). The best you can do is use protocols to gather information about the messages you receive, and use that information appropriately (for example, discounting the presence of a DKIM signature from a domain you have independent reason to believe is hacked and under the control of the Black Hats). So, if there is a valid DKIM signature, then you know who to complain to. Don't you? What's the problem? _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc