Michael, let it go. If someone stops you to say "your zipper is down", you will not ask them for proof of identity, you will excuse yourself and investigate the problem. By my reckoning, DMARC reports are a lot like that.
Source Alpha says, "Server X is sending unauthenticated mail for Domain Y." Several possbilities exist: - You already distrust information coming from Source Alpha, so you reject or discard the information. - You already have enough data to investigate, so you ignore this report. - You decide to investigate this report, which produces one of three outcomes: - Server X has a problem, and you fix it. - Server X is not your server, so you confirm that it is not your problem. - Source Alpha is wrong, so you add a rule to reject or discard future reports from that source. I do not see any reason for a DMARC report to flow indirectly, so I would be suspicious of any reports that appeared to come that way. This means all I really need is an SPF PASS. But I do not need positive identification of the source. On Mon, Feb 1, 2021 at 9:13 PM Michael Thomas <m...@mtcc.com> wrote: > > On 2/1/21 6:05 PM, Dave Crocker wrote: > > On 2/1/2021 5:58 PM, Michael Thomas wrote: > > This, on the other hand, should be measurable. Saying that we should > ignore authentication requirements should require extraordinary proof that > it is needed for practical as well as security reasons. The burden of proof > is on the nay-sayers, especially since it is so trivial to implement these > days. > > Or perhaps: > > 1. Barrier to adoption, for something that supposedly needs a lot more > adoption > > 2. Doesn't seem to make much difference. > > I'd class those as suggesting rather strongly that the burden is on those > that want to impose the barrier, rather than those who don't. > > The problem with arbitrarily claiming a requirement, without justify it > carefully and in a balanced matter is that it is, well, arbitrary. > > Because we all know how well unauthenticated data worked out for email. I > fail to see why anybody would be in favor of digesting unauthenticated data > when the method of authenticating it is trivial and well known. It's an > extraordinary claim that needs to be backed up. But you don't need to > convince me; you need to convince the security AD's and cross area > reviewers. > > Mike > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc