I tend to agree on that last Receiver bullet being unenforced. If I had to choose between an organization deploying DMARC without reporting, or holding up on deploying DMARC because they can’t provide reporting for X,Y,Z reasons .. I’m choosing the former. Does it potentially leave a hole in intelligence? Yes, though doesn’t leave a hole in protection. I suppose there’s the case where they just say they’ve only “partially” implemented DMARC, but then what’s the point of the MUST.
I want to stew on some of the other bits. I’m on the fence for the Domain Owner requirements. I also feel like the document needs a better definition of Mediator (I didn’t see one in the document). -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: dmarc <dmarc-boun...@ietf.org> On Behalf Of Murray S. Kucherawy Sent: Thursday, August 19, 2021 3:16 PM To: IETF DMARC WG <dmarc@ietf.org> Subject: Re: [dmarc-ietf] Ticket #66 (Define What It Means to Have Implemented DMARC) and #62 (Reporting a MUST) On Thu, Aug 19, 2021 at 11:24 AM Todd Herr <todd.herr=40valimail....@dmarc.ietf.org<mailto:40valimail....@dmarc.ietf.org>> wrote: Mail Receiver: To implement DMARC, a mail receiver MUST do the following: * Perform DMARC validation checks on inbound mail * Perform validation checks on any authentication check results recorded by mediators that handled the message prior to its reaching the Mail Receiver. * Send aggregate reports to Domain Owners at least every 24 hours when a minimum of 100 messages with that domain in the RFC5322.From header field have been seen during the reporting period Let's discuss... I'm of the opinion that this last bullet can't be a MUST. I understand that operators in this space really want this to be mandatory, but we are going to run into cases where doing this is difficult or impossible either because of operational difficulties (think resource-constrained environments) or policies ("I am not willing to share any detail about what mail arrives here"). Making this a MUST explicitly disqualifies them. Moreover, I would claim that not generating aggregate reports does not impede interoperability at all, which means use of MUST or even SHOULD here is not appropriate. -MSK, participating only
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc