On 12/29/20 9:18 AM, Todd Herr wrote:
The intent of the p= value is for the domain owner to communicate a
request for message handling by the entity evaluation the DMARC
results; a policy of p=none means "please treat this message the same
as you would have if you hadn't performed a DMARC check on it,
regardless of the result obtained from the check".
Right, but that is not what Google at least is doing in their Auth-res.
It's marking it as DMARC=fail. I think the issue is with rfc 7601
because all I see in it are some DMARC codepoints for IANA unless I
missed something. But it could also be considered a fault of DMARC if
there isn't normative language on what constitutes pass/neutral or
missing/fail. Of course this can just be a Google bug, but it looks more
likely underspecification to me.
Maybe Murray can chime in here.
My feeling is that failure should be reserved only in the case
where both SPF and DKIM fail and that the p= > none. What I'd
*really* like from a UI standpoint is the p= value passed along as
well so I can decide to decorate reject differently from
quarantine and none.
A typical domain owner with a non-trivial email infrastructure and an
eventual goal of getting to p=reject will start with p=none, and will
consume aggregate and failure reports, and will use the data in those
reports to address any shortcomings in their authentication practices.
Aggregate reports containing DMARC failure verdicts will be quite
useful to the domain owner, to ferret out those cases where Mike in
Marketing has contracted with a third party to send mail on behalf of
the domain, or where Ellen the Engineer has a server running off the
side of her desk, sending reports to $ARBITRARY_MAILBOXES and ensure
that such mailstreams are properly authenticated before updating the
DMARC policy to p=quarantine or p=reject. It's not uncommon for some
domains to be at p=none for months, perhaps twelve or more, depending
on their mailing practices and cadences before making the switch.
Domain owners won't move to p=reject until they're sure that
enforcement of such a policy won't have a negative impact on their
mail flow.
In the mean time, it would be nice for MUA's to be able to do their part
with annotating mail. DMARC=fail is really unhelpful with p=none.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc