On 8/13/20 10:03 AM, John R Levine wrote: >> -Admittedly, that's where my bias comes in. My job is working with >> organizations that have paid my employer for me to be that outside help, so >> it's rare for me to see how badly it can be done by people setting >> restrictive DMARC policies without knowing what they're doing. > > If they all talked to you first, we'd be having a very different discussion.
With a complex organization the only way to get people to change is to publish a restrictive DMARC policy and then see who comes out of the woodwork sheepishly admitting that they've been ignoring us for years. Normal people sending email (especially those who are working with an ESP, most of which happily send email without any DMARC alignment) do not comprehend the notion that they should be using a subdomain for their transactional messages; even when we directly communicate this fact to them repeatedly. They just don't understand the nuances of email. Similarly, it's only way to find all of the old DMARC-unaware MLMs, most of which haven't been security-patched for years. Forcing them to upgrade to a MLM that can munge the From is a back-door way to get them to patch, or reassess their commitment to running the list in the first place. Enterprise IT/cybersecurity actually want to get better manageability on the email their institution emit. Misdeploying DMARC provides that. Publishing restrictive DMARC on user domains is not always a clueless IT decision. Jesse _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc