During a session at M3AAWG50, one of the other participants proposed an idea
where a sender could optionally send reports to a domain holder when they send
messages on behalf of that domain.
Let's consider the idea that example.com has properly created SPF/DKIM/DMARC
reports for themselves, and are enforcing at p=reject. And example.com has
permitted ESP-A to deliver messages on their behalf, and they're properly setup
in the SPF, and properly sign with DKIM. ESP-B has no such authorization, but
some entity has asked that ESP-B send messages on behalf of example.com, but is
targeting a mailbox provider who does not support DMARC, nor send reports.
Both entities participate in this "Senders DMARC", and now example.com knows
that ESP-A is acting properly, while ESP-B may need some contact to understand
more about what is going on. I'd suggest that the policy be separate from the
receiving policy ("p=" and "ps=" (policy-senders) for example, though, that may
also lend itself to "psp="), but residing in the same DNS TXT record.
This would not be meant just for ESPs, but also for MBPs/ISPs as well.
Does this sound like a reasonable idea? Report overload? Not a helpful data
set for a domain holder?
Thank you for your time.
--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
