On Fri, Aug 14, 2020 at 11:15 AM Dotzero <dotz...@gmail.com> wrote:

>
>
> On Fri, Aug 14, 2020 at 1:32 PM Neil Anuskiewicz <n...@marmot-tech.com>
> wrote:
>
>>
>>
>> On Fri, Aug 14, 2020 at 8:13 AM Kurt Andersen (b) <kb...@drkurt.com>
>> wrote:
>>
>>> On Fri, Aug 14, 2020 at 7:31 AM Dotzero <dotz...@gmail.com> wrote:
>>>
>>>>
>>>> I've been involved in setting up DMARC with a policy of p=reject for
>>>> somewhere North of 6,000 domains. As a sending domain, the heavy lifting is
>>>> in getting buy-in across the organization that it is a worthwhile effort,
>>>> getting control of your organization's mail flows and ensuring policies and
>>>> procedures are communicated and followed. For complex environments there
>>>> may need to be some automation required for creating and maintaining
>>>> private/public key pairs and DNS records but that is much more
>>>> straightforward than the aforementioned heavy lifting.
>>>>
>>>
>>> Also note that said "heavy lifting" is not a one time expenditure of
>>> effort. Having hoisted the weight bar above your head, it requires
>>> organizational will and ongoing knowledge to stick to the higher bar week
>>> in and week out. Entropy is never your friend in an organizational security
>>> context. Neither are acquisitions :-)
>>>
>>> Yes, and that's why I use DMARC mostly as a tool for reporting. My
>>> clients are typically small businesses who are worried about selling
>>> widgets not about email so even if I help them set up email perfectly, they
>>> could make a change a year from now without updating their SPF record or
>>> deploying DKIM. I just changed my policy to reject (just for fun) assuming
>>> this email will get through because of DMARC's OR logic.
>>>
>>
> Which brings us back to the question of organizational implementation
> issues vs  interoperability issues. Can a technical standards body solve
> the problem of organizations shooting themselves in the foot because they
> are worried about selling widgits and not about email? Why do I have a
> feeling they start caring about email when it no longer works for them?
> They have created a self induced personal interoperability issue. If they
> changed their MX to use a random port other than port 25 to receive SMTP
> connections would you suggest that the RFC should be written to
> accommodate that?
>
> No, it probably can't solve that sort of problem and maybe there's not
really a problem. DMARC does work as advertised, though adoption's low.

 Under 50% of companies have any DMARC record. Of those who deploy DMARC,
about ~2% have p=quarantine and ~5% p=reject, though some industries such
as finance it looks like it's closer to 15% p=reject. I'm sure these
numbers aren't perfect but what you have likely isn't radically different.

Why is adoption low? Is that a big problem? Why so few aggressive policies?
Is that a big problem?

Can a standards body do anything about any of it? Should they? I have no
idea.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to