On Wed, Dec 24, 2014 at 2:40 AM, Franck Martin <fra...@peachymango.org> wrote:
> ------------------------------ > > *From: *"Murray S. Kucherawy" <superu...@gmail.com> > *To: *"Franck Martin" <fra...@peachymango.org> > *Cc: *dmarc@ietf.org, "Scott Kitterman" <skl...@kitterman.com> > *Sent: *Tuesday, December 23, 2014 11:20:30 PM > *Subject: *Re: [dmarc-ietf] Jim Fenton's review of -04 > > On Wed, Dec 24, 2014 at 2:13 AM, Franck Martin <fra...@peachymango.org> > wrote: > >> I think we should recommend something here, not sure if it needs to be >> normative. We do say to ignore the SPF policy when p!=none, though I think >> we can be normative on the lower layers. I see 2 options here: >> 1)tempfail the message is either SPF and DKIM have a tempfail status >> 2)tempfail the message if both SPF and DKIM have a tempfail status >> >> 1) is my preferred and is aggressive, therefore not sure people will like >> it. I'll settle for 2) >> >> As explained in another post, I'm worried I can run a DNS attack (or just >> a self inflicted DNS bad config) and get DMARC to reject emails it should >> have accepted (has the DMARC policy in cache, but cannot assert SPF and >> DKIM). >> >> > I think it's reasonably clear from 5.6.3 that the "fail open" choice is > possibly dangerous, as is anything that fails open. > > But more importantly, I'm also worried about making a normative decision > now about something we deliberately haven't specified up to this point for > whatever reason. We are supposed to be documenting current practice with > this effort, not establishing something new. > > Might this something best left for the standards track WG effort? > > Fair enough, but curious about standard practice. For instance what > openDMARC do? and others? > > I think DMARC got us to be "stricter" and less "lenient" with email. > > OpenDMARC gets the message only after OpenDKIM is done with it, so if OpenDKIM temp-fails, OpenDMARC never even sees it. Thus, the case we're concerned about here can't ever happen. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
