On 7/21/2020 1:08 AM, Laura Atkins wrote:
When we’re basing a protocol on “what the user sees” and “what the user can trust” then I think we have to. DMARC says “users can trust that mail from @domain.example is really from @domain.example” but if the user never sees that, how do they know?
I think this can be connected to the query about threats that DMARC is intended to respond to, by virtue of suggesting clarity about /where/ the responding takes place.
My contention is that it takes place in a receiving filtering engine and does not take place at the user level.
Further, it's one more data point in that engine's analysis process, rather than being in any simple way definitive.
In any event, work here really should make a point of creating text that is clear about threats DMARC is intended to respond to, and clear about where such responding takes place.
To the extent any of that text makes assertions about the performance of end users, it needs to cite the basis for the assertions.
d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc