On 7/28/20 2:07 AM, Laura Atkins wrote: > The underlying belief with DMARC is that mail is simple, that > companies are monoliths with only a few brands/domains, that it is > possible to know exactly where every message will come from. These > assumptions are not and have never been true. Inevitably, however, > when these types of issues are pointed out, they’re dismissed with > “solutions” that aren’t actually achievable or maintainable. DMARC > proponents have repeatedly failed to pay attention to folks pointing > out the actual operational challenges and thus have never addressed > the issues in any way. This is, fundamentally, why only 15% of fortune > 500 companies have adopted p=reject and why adoption rates are only > increased by 5% last year. > > The indirect mail stream issue is real. But it is not the only barrier > to getting to p=reject. The sooner folks start listening to the people > who are presenting real issues where DMARC alignment can’t be achieved > the sooner they’ll be able to address them. The problem with low DMARC > adoption is that it does not adequately address how companies are > using mail in ways that break the DMARC model. Almost a decade on, and > proponents are still suggesting that email usage should change to > comply with their model of how email works. This has not happened. > Maybe proponents need to think harder about why.
There's an underlying assumption here that I don't agree with: that DMARC adoption equates to the publication of a p=reject DMARC policy, and that everyone (or at least all Fortune 500 companies) should be doing that. p=reject should only be used when the usage patterns of the domain support that policy. I'm more inclined to say that 85% of Fortune 500 companies are savvy enough not to publish a policy that doesn't fit their usage patterns. As RFC 7489 says, "DMARC is designed to prevent bad actors from sending mail that claims to come from legitimate senders, particularly senders of transactional email (official mail that is about business transactions)." If the statistic were instead, "only 15% of domains used exclusively for transactional email publish p=reject," I'd agree that's a statistic that should be improved. -Jim _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
