On 2/1/21 10:52 AM, Dave Crocker wrote:
On 2/1/2021 10:25 AM, Michael Thomas wrote:
On 2/1/21 10:13 AM, Dave Crocker wrote:
The model that a receiving site is not allowed to report DMARC
traffic unless that site is also generating DMARC authentication is
Procrustean. And as I noted, is likely counter-productive.
There is no such thing as "DMARC authentication".
Actually, there is. DMARC's requirement for alignment with the
author's From: field domain name asserts a specific bit of
authenticated semantics that does not exist elsewhere.
The paragraph quoted is poorly written and should be rewritten to say
that the report should pass either SPF or DKIM authentication as I
wrote in issue #98.
It might be written better, but its requirement is for support of
applying DMARC to generated reports. That's more than just requiring
SPF or DKIM.
This is separate from not asserting the requirement at all, of course.
The entire thrust of the paragraph needs to be rewritten to what the
senders and receivers must do. It does not require invoking the policy
lookup since it can make the determination to reject reports that do not
authenticate with either SPF or DKIM itself. The section also needs to
clarify whether spoofing the envelope-to domain in the report contents
is allowed or not. I do not think it should be.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
