Michael Jack Assels writes: > > I can't think of any. Some, many, or most of them were supposed > > to be, but it has never turned out that way. I don't know why > > DMARC is being held to a different standard. > > Isn't DMARC holding itself to a different standard?
That's a reasonable interpretation given the choice of mood ("reject" is a command), but in the end it's untenable. As Murray says, "policy frameworks" have been tried before, and they just don't work for "generic" email, although they work very well (as indeed DMARC does) for several important, but restricted, mail flows. The problem with "generic" email is that the incentives of Author Domains which provide mailboxes for personal use are poorly aligned with the incentives of their mailboxes' users. Specifically, Author Domains consider spam-fighting priority one, and consider mailing lists and other indirect flows at best neutral, and often on net a nuisance, while their users want to participate freely in indirect flows (leaving the costs of spam-fighting up to the Author Domains). > What's a receiver supposed to do with unaligned mail whose "From:" > domain specifies p=reject? Whatever they want to. If they think they can do filtering better than the sender, they may choose to ignore it, and there's nothing that can be done about it. Furthermore, I don't see why anyone other than the receiver's mailbox users should care what the receiver chooses to do. > Clearly, the domain owner is explicitly asking that the message be > rejected. No, they are not, not in the case of AOL and Yahoo!. Representatives of both domains have thanked MLM developers for providing mitigations so that messages that in the normal (until DMARC) course of events would fail From alignment can be delivered to DMARC-participating receiving domains which (since DMARC) would reject them. Thus, Yahoo! and AOL are clearly taking the position that they would like those messages to be delivered. Hector, J. Gomez, Franck, and others take the position that the world has changed due to spam and phishing, and therefore "what *was* normal" is now irrelevant. The new norm is conform to DMARC and other dictatorial sender policy frameworks or you're part of the problem. I disagree. Spamming and phishing are the problem, traditional practices of mailing lists are not. > If DMARC intends that this be merely one of many factors to > consider, then doesn't it boil down to nothing more than > p=do-whatever? No, there is valuable information in the policy. As far as I can see, the semantics of "p=reject" are We have a serious spoofing problem. It is so serious compared to the potential damage due to rejecting legitimate messages that we accept all responsibility for nondelivery and collateral damage if you choose to reject. In the case of direct mail flows, the potential damage due to rejection of legitimate mail is very low, and the potential damage from accepting spoofed mail is extremely high. If you know that a mail flow is direct, as a receiver you'd be crazy not to reject, and as a sender you'd be crazy not to accept the responsibility for receivers rejecting. In the case of indirect flows, receivers may (or may not) want to prefer their judgment to that of the author domain, because often the expected damage from accepting is much lower, and the expected damage from rejecting much higher. > Yes, I know that receivers can and will do as they please, but some > receivers would be pleased as punch to cooperate in a scheme that > gave solid proof of a message's illegitimacy in every case where it > was asserted. Murray's point is that "proof of illegitimacy" is probably a pipe dream, as shown by past experience with "policy frameworks".[1] Legitimacy, on the other hand, is fairly easy to prove, as DMARC shows in daily use by financial institutions and in other transactional mail flows. Footnotes: [1] Hector is right that they haven't really been tried, but I don't think the chance that they'll be tried in the future is high, because the reasons they've been hard to implement in the past remain true. The big problem is that policy frameworks proposed so far "work" only if you define "legitimacy" tautologically: if it gets past the policy framework, it's legit, else not. That's not what my users want, though. They want to receive the mail they want to receive, and otherwise not, and no policy framework so far has shown promise of implementing that. _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc