On Thu, Jan 6, 2022 at 3:32 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> There are good reasons for talking about a default DMARC policy. It is > certainly not to give evaluators permission, because we know that > evaluators can do whatever they want, and they will do what they deem to be > in their best interest. > > The point of a specification like this is to understand each participant's > best interest and channel that toward the common goal. I perceive a false > assumption that when a sender does not publish p=reject, then his messages > cannot be blocked for failure to validate, and therefore DKIM signatures > are unnecessary. Your question about "none" equaling "ignore" comes > across that way. "None" means that the sender provides no guidance, it > does not mean that the message cannot be blocked because of sender > authentication failure. > I'm not sure I agree with the second paragraph's assertion. DMARC, or any protocol specification really, is about interoperability between two participants. In DMARC's case, that's a sender and a receiver. When a policy is published, the receiver has asked the sender's DNS for that information, received a reply, and put it to use in the DMARC evaluation machine; the protocol has been followed. However, when no policy is published, or in the errant case where multiple policies are published, the protocol cannot be said to have completed, since there was no interaction between the sender and the receiver. Similarly, the notion of a default DMARC policy suggests that when no policy is published, the receiver has some means to assert "I think I know what you probably would want" and then completes the protocol on that basis. But there's been no interoperability here; no interoperable protocol has been executed. It's on the same basis that Scott earlier said Best-Guess SPF is not SPF. It IS in the interest of an evaluator to apply the DMARC test to every > message, so I believe it is in the interest of the specification to > acknowledge that likelihood. If someone in the group believes that it is > contrary to an evaluator's best interest, we need to discuss and document > that risk also. > I suggest that this might be the kind of advice we float in a Best Current Practices document or similar, if that's the consensus opinion, but not in the protocol itself. At a minimum, I suggest that it should be informative text, and certainly not mandatory. -MSK, participating
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
