On 11/10/2014 5:52 PM, Murray S. Kucherawy wrote:
> I've posted an update to the base draft, based on recent feedback from
> Ned and others.
Tidbits...
Intro:
> Security terms used in this document are defined in [SEC-TERMS].
There's a Terminology section, so this really belongs there.
2.2:
> attacks in the RFC5322.From field, also known as "display-name"
> attacks;
attacks on using the free-form portion of the RFC5322.From field,
also known as "display-name" attacks, after its ABNF rulename;
3.13:
The Flow Diagram inneeds to have the DKIM and SPF boxes /also/ connected
directly to the Filtering Engine, since they still provide information
directly to it.
I suggest either:
+---------------+
| Author Domain |< . . . . . . . . . . . . . . . . . . . . . . .
+---------------+ . . .
| . . .
V V V .
+-----------+ +--------+ +----------+ +----------+ .
| MSA |<****| DKIM | | DKIM | | SPF | .
| Service | | Signer | | Verifier | | Verifier | .
+-----------+ +--------+ +----------+ +----------+ .
| * * .
| * . * .
V ************** .
* .
+------+ (~~~~~~~~~~~~) +------+ * .
| oMTA |------->( other MTAs )---->| rMTA | * .
+------+ (~~~~~~~~~~~~) +------+ * .
| * .......
| ************** .
V V * .
+-----------+ V V
+---------+ | MDA | +----------+
| User |<--| Filtering |<***>| DMARC |
| Mailbox | | Engine | | Verifier |
+---------+ +-----------+ +----------+
or
+---------------+
| Author Domain |. . . . . . . . . . . . . . . . . . . . . . .
+---------------+ . . .
| . . .
V V V .
+------------+ +--------+ +----------+ +----------+ .
| MSA |<****| DKIM | | DKIM | | SPF | .
| Service | | Signer | | Verifier | | Verifier | .
+------------+ +--------+ +----------+ +----------+ .
| * * V
| * * +----------+
| *************>| DMARC |
| * | Verifier |
| * +----------+
| * *
| * ********
| * *
| V V
V +-----------+
+------+ (~~~~~~~~~~~~) +------+ | MDA |
| sMTA |--->( other MTAs )--->| rMTA |--->| Filtering |
+------+ (~~~~~~~~~~~~) +------+ | Engine |
+-----------+
+---------+ |
| User |<-------+
| Mailbox |
+---------+
Since Murray saw a variant of the latter from me earlier, he won't be
surprised that I prefer it...
5. Policy:
> A Domain Owner may choose not to participate in DMARC evaluation by
may -> can
(I'm assume that we don't use normative language to tell people that the
have the right to opt out of a specification... Hmmm. Normative
language would actually be contradictory, I think...)
> Mail Receivers. In this case, the Domain Owner simply declines to
> advertise participation in those schemes. For example, if the
> results of path authorization checks ought not be considered as part
> of the overall DMARC result for a given Author Domain, then the
> Domain Owner does not publish an SPF policy record that can produce
> an SPF pass result.
The way to opt out of DMARC is to not publish a DMARC record. So "those
schemes" doesn't make sense to me, nor does the reference to an SPF record.
I think this should say:
Mail Receivers. In this case, the Domain Owner simply declines to
advertise participation. That is, the Domain Owner does not
publish a DMARC record in the DNS.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
