On 8/21/20 4:05 PM, Brandon Long wrote: > > > On Fri, Aug 21, 2020 at 12:24 PM Jim Fenton <fen...@bluepopcorn.net > <mailto:fen...@bluepopcorn.net>> wrote: > > On 8/17/20 3:52 PM, Jesse Thompson wrote: > > With a complex organization the only way to get people to change is to > publish a restrictive DMARC policy and then see who comes out of the woodwork > sheepishly admitting that they've been ignoring us for years. > > > > Normal people sending email (especially those who are working with an > ESP, most of which happily send email without any DMARC alignment) do not > comprehend the notion that they should be using a subdomain for their > transactional messages; even when we directly communicate this fact to them > repeatedly. They just don't understand the nuances of email. > > > I thought the DMARC reporting mechanism was there to allow such > organizations to detect those behaviors and get them corrected without > actually causing the damage of a restrictive policy. > > > One thing we've found useful in this case is controlling the organization > from spamming. > > Which is to say that the org has a policy on approvals and what is allowed to > be sent marketing wise, in some parts of the world to comply with laws on > such topics, > or to be sure the entire org follows the principles and someone new doesn't > just poison the pool for everyone else. > > There are always people who route around restrictions or sometimes don't even > bother to look for anything, they'll just hire a third party ESP and spam > away. > > DMARC helps in this case to reduce the success of that and force them back to > internal compliance, which relieves the legal burden as well as the negative > impacts > on delivery and public perception. > > For folks who just register a new domain name and spam anyways... yeah, well, > there are other consequences down the line and other anti-phishing > restrictions that > kick in at least on our inbound systems..
Right. Moving past p=none puts somewhat of a backstop on the internal compliance problem, which would otherwise continue indefinitely. I've put them into a state where they have to get a subdomain and learn about DMARC. DMARC [aggregate] reports don't tell us *who* in our organization is perpetuating the problem, especially if their volume is low or not visible to the few DMARC reporters. At some point you need to acknowledge that you will never have complete visibility. Jesse _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
