On Tuesday, August 18, 2020, John Levine <jo...@taugh.com> wrote: > In article <CAJ4XoYcue16VU6otKOzQBFy_59nD8DGcDQb8H=Z0MsX-XLah8w@ > mail.gmail.com> you write: > >This is just wrong. While I appreciate the enthusiasm for using the Sender > >field, unless there is a mechanism for establishing a relationship between > >the From domain and the Sender domain then we have basically broken DMARC. > >Using what has been described above, any malicious actor can bypass the > >wishes of the From domain and send whatever they want. > > Aw, come on. Surely you of all people know that DMARC aligned doesn't mean > it's not spam. > > Aw, come on. Surely you of all people know that DMARC broken doesn't mean it's good and real. 🤔 You are presenting a false dichotomy that centers only on mailing lists.
> the whole reason we're here is that we have abundant evidence that at > least where mailing lists are involved, the policy published in DMARC > often doesn't express the actual wishes of the domain publishing it. You paint with a broad brush. As one of the creators of DMARC, I fully intended that ANY messages purporting to be from the domains I set p=reject for to be rejected if they failed to pass either aligned DKIM or SPF. No user accounts at those domains other than direct support accounts and billions of emails served with no intermediary problems other than a few vanity domains on the receiver side. Our position from the beginning was that they are not authorized by us to use our domains in that manner. For us,protecting end users,most who were not even our customers was much more important than the small fraction of a percentage of dropped mail. And yes, we tracked all sorts of metrics on an ongoing basis. Please don't tell me that our published policy did not represent our actual wishes. Your representation that you know better than ALL people/domains which publish DMARC what they wish is akin to saying you know better than all people screwing up their DNS records what they actually want. You sidestep a lot of important issues by reducing everything to the one edge case you are concerned about. If the people you claim don't want the outcome they have as a result of the DMARC policy that they published then maybe they should publish a different policy. Have you considered contracting them, any of them, to tell them you know their wishes better than they do? Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
