Michael, let it go.
If someone stops you to say "your zipper is down", you will not ask them
for proof of identity, you will excuse yourself and investigate the
problem. By my reckoning, DMARC reports are a lot like that.
Source Alpha says, "Server X is sending unauthenticated mail for Domain
Y." Several possbilities exist:
- You already distrust information coming from Source Alpha, so you reject
or discard the information.
- You already have enough data to investigate, so you ignore this report.
- You decide to investigate this report, which produces one of three
outcomes:
- Server X has a problem, and you fix it.
- Server X is not your server, so you confirm that it is not your
problem.
- Source Alpha is wrong, so you add a rule to reject or discard future
reports from that source.
I do not see any reason for a DMARC report to flow indirectly, so I would
be suspicious of any reports that appeared to come that way. This means
all I really need is an SPF PASS.
But I do not need positive identification of the source.
On Mon, Feb 1, 2021 at 9:13 PM Michael Thomas <m...@mtcc.com> wrote:
>
> On 2/1/21 6:05 PM, Dave Crocker wrote:
>
> On 2/1/2021 5:58 PM, Michael Thomas wrote:
>
> This, on the other hand, should be measurable. Saying that we should
> ignore authentication requirements should require extraordinary proof that
> it is needed for practical as well as security reasons. The burden of proof
> is on the nay-sayers, especially since it is so trivial to implement these
> days.
>
> Or perhaps:
>
> 1. Barrier to adoption, for something that supposedly needs a lot more
> adoption
>
> 2. Doesn't seem to make much difference.
>
> I'd class those as suggesting rather strongly that the burden is on those
> that want to impose the barrier, rather than those who don't.
>
> The problem with arbitrarily claiming a requirement, without justify it
> carefully and in a balanced matter is that it is, well, arbitrary.
>
> Because we all know how well unauthenticated data worked out for email. I
> fail to see why anybody would be in favor of digesting unauthenticated data
> when the method of authenticating it is trivial and well known. It's an
> extraordinary claim that needs to be backed up. But you don't need to
> convince me; you need to convince the security AD's and cross area
> reviewers.
>
> Mike
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
