To my mind, it is crazy talk to assert that DMARC is not an authentication method.
My bank's phone app gives me the option of authenticating with either a username+password or a fingerprint. For remote access to work computers, I use two authentication methods together. Using two component methods to accomplish an authentication process does not cause it to be something other than an authentication process. Specific to DMARC: The sender's policy suggestion is probably the least important part of DMARC v1. The evidence given to this forum says that most senders do not have a DMARC policy. Of those that do, the policy is most often NONE, and therefore useless. Of all the mail that is blocked by automation because of p=(reject | quarantine), a significant portion is blocked for reasons that the recipient user considers incorrect. So the proportion of mail which is properly blocked because of a DMARC policy looks rather tiny. Nonetheless, about 85% of my incoming messages have FROM addresses that I classify as "reliably identified". This is mostly because of DMARC PASS, but I also use some local policies serve as alternatives to DMARC PASS. I don't need a DMARC policy to produce DMARC PASS or FAIL. A sender's policy expression is only meaningful because DMARC invented an algorithm for authenticating the FROM address, something that had never been done before. Without an algorithm to generate PASS or FAIL, there is nothing about which a sender can make a disposition suggestion. Doug Foster On Sun, Oct 31, 2021 at 1:50 PM Dotzero <dotz...@gmail.com> wrote: > > > On Sun, Oct 31, 2021 at 1:03 PM Scott Kitterman <skl...@kitterman.com> > wrote: > >> Perhaps it's a pointless semantic distinction. I think of DMARC as a >> mechanism for expressing policy about authentication, not an authentication >> method. >> >> I still don't understand what you think is unprotected. >> >> Scott K >> > > +1 > > DMARC allows the owners or administrators of a domain to express a policy > for email messages which fail to pass aligned DKIM or SPF and request > validators/receivers to act on that policy. In and of itself DMARC is not > an authentication method. > > Michael Hammer > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
