> Roughly 80% of those reports are from Google, Yahoo!, and Microsoft. > > Is 20% success sufficient for me to switch to p=reject? I guarantee you it > is > not. At the end of the day, without the large providers on board, any > solution that requires change at both the sender and the receiver needs the > large providers on board or it's useless.
And from Murray: > There's still that pesky registration problem to address. Checking DNS for third party authorization may be workaround for this problem at a large provider (Microsoft) but publishing them on behalf of Microsoft would be a tough (probably impossible) sell. If I own my own domain, I can keep track of mailing lists for a few dozen users. But something like outlook.com has millions of years. The registration problem means that either we have to review hundreds or thousands of additions per day (or a bootstrap of tens of thousands) or automate it. But if we automate it, that has its own problems: - What's the threat model? How do we prevent malicious sign ups? - The outlook.com sign-up is self-serve; this means that anyone can sign-up for outlook.com and create their own mailing lists and subscribe to it, and then outlook.com would need to automatically add that to its DNS zone. In other words, a complete outsider can register something in the zone that is maintained by Microsoft. This can be abused (a spammer could blow up the zone by doing this tens or millions of times per day using a botnet). - When do we remove things from DNS? That's a big risk. I can't speak for the company, but I think we'd rather live with the DMARC p=reject inconvenience than allow a regular user to publish anything to its DNS zone. -- Terry _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
