On Fri, Aug 14, 2020 at 12:42 PM John Levine <jo...@taugh.com> wrote:
> In article <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL= > g...@mail.gmail.com> you write: > >policy of p=reject. Domains should not be able to externalize their > >internal problems to others. > > Isn't that exactly the mailing list problem? > No, that is the domains publishing a policy externally but not telling their users "Don't do that" problem. > > >> Only if you believe that the domain on the From: line is automatically > >> more credible than the one on the Sender: line. The whole third party > >> problem is that the people sending their mail through lists or > >> whatever are in fact doing so legitimately, but for various reasons > >> their organizations' DMARC policies lie and say they aren't. > >> > > > >I think you are misusing the term "credible". Domains which are publishing > >p=reject policies are making an assertion regarding mail purporting to be > >authorized by their domain. It is not an assertion that their mail is > >"good" or should be delivered to a recipient ... > > No, it's an assertion that mail that's unaligned is unauthorized, and > a request to reject it. For mail that their users send through mailing > lists, that assertion is false and the request clearly not what the > organization and its users want. This is what I conclude from the > number of unhappy people to whom I have had to explain that their mail > is disappearing because their employer told recipient systems to do > so. > "clearly not what the organization and its users want." Who am I going to believe, the organization and it's published policy or you? > > > This is why I made the point above that lists should respect DMARC > >policy and not accept submissions from domains with DMARC p=reject > >policies. > > Lists have been around a lot longer than DMARC has. Perhaps you meant > to say that domains whose users participate in mailing lists should > not publish restrictive DMARC policies. If they don't want their users > to send mail to lists, they should tell their users not to send mail > to lists. > I meant what I wrote. Domains who actively want their users to participate in mailing lists or even passively accept that their users participate in mailing lists shouldn't publish p=reject for the domain their users are sending from or should take steps to migrate the users to another domain/subdomain, etc. Conversely, if a domain IS publishing p=reject then yes, they should be taking steps internally but I also believe others should consider that domain's published policy as intentional and act accordingly. I've never heard of a DMARC policy getting published due to inaction. Someone with administrative rights actively published that policy. > > There are lots of organizations that actively want their employees to > participate in the IETF, to the extent that they give them paid time > for IETF activities, yet publish p=reject policies to cripple that > participation. I wish they would make up their minds. > Me too. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
