On Tue, Jan 18, 2022 at 1:13 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> Michael, you ducked the question. > > If a domain owner has a right to not participate in DMARC, why are we > removing that right with PSD policies? > I said in an earlier message in this thread that I did not understand the tree walk to mean that PSD policies will rule if the org domain doesn't publish one. Here's what I wrote: If the intent of the tree walk is, at least in part, to allow for publishing of policy records at the PSD level and for those records to be inherited by existing subdomains (e.g., _dmarc.tld is inherited by domain.tld if domain.tld does not publish its own policy record) then I have badly misunderstood the tree walk. If that's not the intent, then the next rev of DMARCbis needs to make that more clear. One of us is wrong in our understanding of the point of the tree walk, and it very well could be me, but I think we need to get consensus here on this point. > > Either participation is optional or it is not. Which is it? > > This right to not participate is based on an assumption that DMARC will be > used to block legitimate traffic. That fear is only justified because we > have been unwilling to document how DMARC should be used to ensure > appropriate dispositions. Failure to talk about failure management has > created the problem and we seem determined to perpetuate it (even though > failure management, as applied to mailing lists, was part of our charter.) > > I submit that DMARCbis does say how DMARC should be used to ensure appropriate dispositions, in the Introduction section: A DMARC pass indicates only that the RFC5322.From domain has been authenticated for that message. Authentication does not carry an explicit or implicit value assertion about that message or about the Domain Owner. Furthermore, a mail-receiving organization that performs DMARC verification can choose to honor the Domain Owner's requested message handling for authentication failures, but it is under no obligation to do so; it might choose different actions entirely. For a mail-receiving organization supporting DMARC, a message that passes verification is part of a message stream that is reliably associated with the RFC5322.From field Domain Owner. Therefore, reputation assessment of that stream by the mail-receiving organization is not encumbered by accounting for unauthorized use of that domain in the RFC5322.From field. A message that fails this verification is not necessarily associated with the Domain Owner's domain and its reputation -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* todd.h...@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc