On Thu 11/Aug/2022 18:26:38 +0200 Murray S. Kucherawy wrote:
A domain owner can know, for instance, that it only sends transactional messages that have no purpose to ever go to a mailing list. Such an operator can safely set "p=reject" because the risk of the collateral damage about which we're concerned here is close to zero. That is equivalent to the domain owner knowing not only that there's dual authentication, but also that authentication is highly likely to survive to delivery. When users are introduced into such a system, that logic goes out the window. DMARC is arguably not appropriate for those use cases, and Barry is urging that we say so.
To have to use different domains for transactional messages vs. personal usage which might include mailing lists is an artifact of authentication as well. Recall, for example, Brett McDowell, who participated in the ietf-dkim list sporting an address with a domain part of paypal.com. In 2010 his company created the domain paypal-inc.com in order to separate mail flows.
Creating look-alike domains is not the most natural thing to do, and has the potential to confuse recipients, as spammers quickly learned.
OTOH, stopping at p=none is not much effective. It can be interesting only for email geeks. Saying that DMARC is for highly abused domains only, albeit near to the original aim, sounds like saying, after the invention of locks, that you can keep your home door unlocked because you're not a bank. Since locks exist, I want to lock my door too.
Best Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
