----- Original Message ----- > From: "Murray S. Kucherawy" <superu...@gmail.com> > To: "Franck Martin" <fra...@peachymango.org> > Cc: dmarc@ietf.org, "Scott Kitterman" <skl...@kitterman.com> > Sent: Tuesday, December 23, 2014 11:20:30 PM > Subject: Re: [dmarc-ietf] Jim Fenton's review of -04
> On Wed, Dec 24, 2014 at 2:13 AM, Franck Martin < fra...@peachymango.org > > wrote: > > I think we should recommend something here, not sure if it needs to be > > normative. We do say to ignore the SPF policy when p!=none, though I think > > we can be normative on the lower layers. I see 2 options here: > > > 1)tempfail the message is either SPF and DKIM have a tempfail status > > > 2)tempfail the message if both SPF and DKIM have a tempfail status > > > 1) is my preferred and is aggressive, therefore not sure people will like > > it. > > I'll settle for 2) > > > As explained in another post, I'm worried I can run a DNS attack (or just a > > self inflicted DNS bad config) and get DMARC to reject emails it should > > have > > accepted (has the DMARC policy in cache, but cannot assert SPF and DKIM). > > I think it's reasonably clear from 5.6.3 that the "fail open" choice is > possibly dangerous, as is anything that fails open. > But more importantly, I'm also worried about making a normative decision now > about something we deliberately haven't specified up to this point for > whatever reason. We are supposed to be documenting current practice with > this effort, not establishing something new. > Might this something best left for the standards track WG effort? Fair enough, but curious about standard practice. For instance what openDMARC do? and others? I think DMARC got us to be "stricter" and less "lenient" with email.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc