> On 24 Aug 2020, at 23:34, Douglas E. Foster > <fosterd=40bayviewphysicians....@dmarc.ietf.org> wrote: > > Something seems inconsistent: > > - The people who have implemented DMARC do not see any significant problems, > and as a result they are not interested in a third-party authorization scheme. > > - Yet adoption is very slow, especially for anything other than p=none > > Are we to assume that mailing list compatibility explains the slow adoption? > If not, what other obstacles do we need to be considering?
I don’t believe mailing list compatibility is a primary reason for slow adoption, although I do think it’s a contributing factor. To my mind the biggest obstacle to adoption of restrictive policies is the expense of implementation and the lack of return for that investment. Implementing DMARC, particularly for larger companies who want to do it correctly, is expensive and resource intensive. It is a multi-month process to identify all the legitimate sources of mail, create alignment or move vendors and set up the correct reporting mechanism. You can, and I do recommend, outsource this to one of the vendors who does this well. Not every company outsources or has the resources to do this correctly internally. A client from last year was told they had less than a week to go from no DMARC to p=reject. Unfortunately, the IT directive came with nothing more than a “publish v=DMARC1; p=reject in your DNS.” Client lost days worth of mail due to a lack of direct alignment even though they were using their own domains in SPF and DKIM. Checking now, client still isn’t collecting reports, but has backed down to p=quarantine. A restrictive DMARC record requires a large, up-front commitment of resources. It also requires ongoing resources for monitoring and understanding the reports and the ability to be able to address any problems that show up in the reports. For a lot of companies, the benefit to publishing restrictive DMARC policy is minor. It stops bad guys from directly forging their domain, but doesn’t stop your brand being phished or your executives from being spear phished using cousin domains or taking advantage of the 5322.from comment. It also disrupts normal business processes as we’ve been discussing on the list here. To borrow an example from John Levine, a restrictive DMARC policy is preventing employees at a large company from participating in industry specific mailing lists; participation which is part of their actual job. I believe a lot of the very slow adoption is folks inside companies looking at the cost of implementing restrictive DMARC records and the benefits to implementing restrictive DMARC records and deciding there just isn’t enough benefit to justify the expense. BIMI is an attempt to bring more benefit to the table, but I’m not sure even that is enough to justify the overall expense to a lot of corporations. laura -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
