Hello, I recently had a conversation with Dave Crocker about proposed changes for DMARC, and mentioned a use case to him that is not well served by the current situation that is not a mailing list. He said it might be useful to share this to this list, so I'm writing it out here.
A customer of mine is a large financial services company. Like many in that field, they have acquired several other companies over the years, and now operate multiple different brands, which send email using different domains.. While many companies like this maintain one primary domain for corporate email and others only for marketing purposes, this company maintains multiple distinct domains even for corporate workplace email. The challenge is that they have many administrative assistants who send out meeting calendar invitations on behalf of the executives they support, and the executive and the assistant do not always use the same email domain. The resulting messages are not aligned, so they fail DMARC. To put it another way: * assist...@firstbrand.com is organizing a meeting for execut...@secondbrand.com * assist...@firstbrand.com sends out a calendar invite from their own messaging client, using execut...@secondbrand.com in the From: field * The resulting message uses execut...@secondbrand.com in the friendly From: field, but firstbrand.com in the SMTP MAIL FROM domain, so the headers are no longer aligned for SPF. * Both firstbrand.com and secondbrand.com are set to DMARC p=reject. * Messages like this are then rejected by receivers that validate DMARC results. Whenever possible, they tell me they change the assistant's email domain to match the executives they support, but as people leave or change departments, they sometimes end up with assistants supporting executives across multiple different domains, so they can't ensure they always have the same domain. Maybe the ultimate answer for this customer and others in a similar situation is simply that this is a use case that can no longer be supported due to evolving security needs, and yet if that's the case, I thought it would be helpful to share a real world scenario that is currently impacted that isn't part of the previously existing discussion around mailing lists. Thanks, Autumn Tyr-Salvia atyrsal...@agari.com Agari Principal Customer Success Engineer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
