On Thu, Aug 13, 2020 at 12:21 PM Dotzero <dotz...@gmail.com> wrote: > > > On Thu, Aug 13, 2020 at 3:06 PM Neil Anuskiewicz <n...@marmot-tech.com> > wrote: > >> >> >> Tunable! You said the magic word I have a client now getting spoofing. >> Tightening above p=none is a non starter as about 100% of MajorCRM emails >> fail SPF (foo.majorcrm is the RFC5321.from), 62% of MajorCRM mail fails >> DKIM, and 100% of MajorCRM Marketing * fails SPF (bar.some-esp.com). Oh, >> and some local office has a random MailChimp account not authenticated. >> >> We can't turn the knob on policy and MajorCRM support says you can't have >> your own mail from. Normally, with a client we would get on a screen share >> with Bob (the doer of all things) at a company or some other efficient >> arrangment to be able to make changes in applications, update DNS, test, >> monitor. >> >> Here, there's this dept with control of the CRM, another for marketing, >> another controls DNS, and a vendor says something isn't possible. >> >> So what you are saying is that you want an IETF working group to write a > standard that papers over poor self control on the part of your > organization. >
Not my organization. I'm a freelancer. No, I'm saying that the IETF should write a standard that helps people in the field solve problems. > > >> My point is that it sure would be nice to be able to tune so that BigCRM >> and BigCRM Marketing * mail would pass DMARC comfortably, and we could then >> turn the dial on policy to cut off the spoofers without breaking legit mail. >> >> Yes, I know that this isn't the mailing list issue but tuning could solve >> that problem, too. >> >> > The way you solve the problem described above is to get control of your > mail flows. I've worked with various "big CRM" vendors and they will gladly > accept a delegated subdomain (they control DNS and therefore SPF and DKIM > signing as well as publishing DMARC. There are other approaches as well. > Your post illustrates one of the problems with the discussion on this list. > People are conflating internal organizational issues with requirements for > interoperability. You could always publish 0.0.0.0 -all for your SPF record > and solve all your DMARC assertion issues very easily. > I set up subdomains for clients to use for their mail streams all the time so I agree. It's just the standard that sometimes stands in the way of cutting off spoofers. And that's ultimately the goal of the standard. Allow legit mail, stop bad guys.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
