On Fri, Aug 14, 2020 at 11:15 AM Dotzero <dotz...@gmail.com> wrote: > > > On Fri, Aug 14, 2020 at 1:32 PM Neil Anuskiewicz <n...@marmot-tech.com> > wrote: > >> >> >> On Fri, Aug 14, 2020 at 8:13 AM Kurt Andersen (b) <kb...@drkurt.com> >> wrote: >> >>> On Fri, Aug 14, 2020 at 7:31 AM Dotzero <dotz...@gmail.com> wrote: >>> >>>> >>>> I've been involved in setting up DMARC with a policy of p=reject for >>>> somewhere North of 6,000 domains. As a sending domain, the heavy lifting is >>>> in getting buy-in across the organization that it is a worthwhile effort, >>>> getting control of your organization's mail flows and ensuring policies and >>>> procedures are communicated and followed. For complex environments there >>>> may need to be some automation required for creating and maintaining >>>> private/public key pairs and DNS records but that is much more >>>> straightforward than the aforementioned heavy lifting. >>>> >>> >>> Also note that said "heavy lifting" is not a one time expenditure of >>> effort. Having hoisted the weight bar above your head, it requires >>> organizational will and ongoing knowledge to stick to the higher bar week >>> in and week out. Entropy is never your friend in an organizational security >>> context. Neither are acquisitions :-) >>> >>> Yes, and that's why I use DMARC mostly as a tool for reporting. My >>> clients are typically small businesses who are worried about selling >>> widgets not about email so even if I help them set up email perfectly, they >>> could make a change a year from now without updating their SPF record or >>> deploying DKIM. I just changed my policy to reject (just for fun) assuming >>> this email will get through because of DMARC's OR logic. >>> >> > Which brings us back to the question of organizational implementation > issues vs interoperability issues. Can a technical standards body solve > the problem of organizations shooting themselves in the foot because they > are worried about selling widgits and not about email? Why do I have a > feeling they start caring about email when it no longer works for them? > They have created a self induced personal interoperability issue. If they > changed their MX to use a random port other than port 25 to receive SMTP > connections would you suggest that the RFC should be written to > accommodate that? > > No, it probably can't solve that sort of problem and maybe there's not really a problem. DMARC does work as advertised, though adoption's low.
Under 50% of companies have any DMARC record. Of those who deploy DMARC, about ~2% have p=quarantine and ~5% p=reject, though some industries such as finance it looks like it's closer to 15% p=reject. I'm sure these numbers aren't perfect but what you have likely isn't radically different. Why is adoption low? Is that a big problem? Why so few aggressive policies? Is that a big problem? Can a standards body do anything about any of it? Should they? I have no idea.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc