> On Mar 14, 2016, at 11:28 PM, Kouji Okada <o...@lepidum.co.jp> wrote: > > We have submitted a draft about DMARC default verification > for domains not publishing DMARC records. > Any comments will be appreciated.
Summary: If a domain does not opt-in to using DMARC, treat the domain as though it had opted-in to using DMARC with "p=none adkim=s aspf=s". Once that's deployed, change it to "p=reject adkim=s aspf=s". Possibly do "p=quarantine" between the two. There are multiple problems with this suggestion. Firstly, DMARC is an opt-in protocol for good reason. It's a lot of work to clean up all the mail streams for a domain such that all email is authenticated. In many cases it is impossible to do so. Those domains that have not done so should not publish a DMARC record. Requiring DMARC-esque authentication (let alone strict alignment) from domains that are not ready to use DMARC will cause a lot of wanted email to be treated as having failed that test. In your first phase, p=none, this will have no effect. The value of using p=none in DMARC is so that domains can take advantage of DMARC reporting without loss of legitimate email. You have no reporting, so this provides no value. In your middle phase, p=quarantine, this will cause massive loss of wanted email while still providing no feedback to senders. In your final phase, p=reject, there will continue to be massive loss of wanted email. In none of those phases does your draft add any value. If a receiver wants to pay attention to whether mail is authenticated or not it can already do so, and it can do so much more effectively than any approach that requires strict DMARC style alignment. Cheers, Steve _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc