On Monday, April 27, 2015 7:09 AM [GMT+1=CET], Hector Santos wrote: > On 4/25/2015 6:24 AM, Rolf E. Sonneveld wrote: > > > > > > I'd like to note that it is the presence/existance of actor > > > "Mediator" which induces the DMARC compatibility problems with > > > indirect flows. > > > > > > I.e., if you supress the Mediator, all is fine and dandy. That > > > fact should at leat put some pressure on Mediator regarding the > > > searching for a solution, and should induce Mediator to > > > acknowledge that he will have to assume certain costs for such a > > > solution. > > > > > > I see Originator already assuming costs: deploying SPF in DNS and > > > keeping it current, deploying DKIM records and DKIM-signing > > > outgoing email, deploying DMARC records and being vigilant > > > regarding Header-From alignment in his outgoing email, etc. > > > > > > And I see Receiver already assuming costs: setting up systems to > > > check SPF, DKIM and DMARC for incoming email, dealing with the > > > support costs of false positives and phised users, sending out > > > DMARC reports, etc. > > > > > > What costs are Mediators currently taking to improve > > > validation/authentication of the email system as a whole? > > > > and what benefits do they get in return? > > Smooth operation? > > Mediators don't really need to change, but their entry points need to > support DKIM+POLICY. For example, the Mediator receiver can simply > support honoring restrictive policies and it doesn't need to bother > with much else.
That is interesting. Couldn't the DMARC specification spell out that Receivers claiming to be DMARC-compliant, when choosing to *accept* incoming messages from Senders publishing p=reject (irrespective of whether such accepted messages passed or not the DMARC checks), CANNOT after-the-fact reinject such received messages into the public email infrastructure in any way that could render them (or reveal them to be) DMARC-rejectable? So that if any Receiver-turned-Originator (i.e., Mediator) does otherwise, they CANNOT claim to be DMARC-compliant? That would force DMARC-compliant Mediators to reject (or accept but not resend) incoming email from p=reject domains, irrespective of whether such mail passes or not the initial incoming DMARC checks. Then, if the market deems DMARC valuable by itself, pressure would be applied by the "invisible hand" there were it needs to be applied (so that reputable actors in the email ecosystem could claim to be DMARC-compatible). Regards, J.Gomez _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
