So we would likely need a section in the core document with a SHOULD for evaluation (if it’s not already there), and then a section in the aggregate reporting for a MUST for reporting on evaluated information (if they choose to send reports at all), correct?
-- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: dmarc <dmarc-boun...@ietf.org> On Behalf Of Murray S. Kucherawy Sent: Monday, October 3, 2022 10:03 AM To: Todd Herr <todd.herr=40valimail....@dmarc.ietf.org> Cc: Douglas Foster <dougfoster.emailstanda...@gmail.com>; IETF DMARC WG <dmarc@ietf.org> Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result On Mon, Oct 3, 2022 at 9:03 AM Todd Herr <todd.herr=40valimail....@dmarc.ietf.org<mailto:40valimail....@dmarc.ietf.org>> wrote: On Sun, Oct 2, 2022 at 10:34 PM Douglas Foster <dougfoster.emailstanda...@gmail.com<mailto:dougfoster.emailstanda...@gmail.com>> wrote: I am starting from the viewpoint that (a) reporting is a courtesy provided by the evaluator to the domain owner, and (b) the evaluator will do so in the context of his own interest, which includes filtering messages with maximum possible efficiency. It is only a courtesy if the evaluator is not interested in promoting more widespread adoption of authentication. For those evaluators who want to maximize adoption of authentication (because authenticated identifiers are ones to which reputation can be reliably attached and used in handling decisions) it is beneficial to the evaluator to provide reports to all who solicit them, so as to ensure that the report receivers can address shortcomings in their authentication processes. I believe that the evaluators wanting to promote more widespread adoption of authentication far outnumber those who don't. (No hat.) I think if the consensus concurs with this perspective, then this is something the document should say explicitly (if it doesn't already). Specifically, I think the case is being made here that all methods SHOULD be evaluated, with no short-circuiting, and the results of all of them need to be included in any report that's generated, so that the report recipient doesn't get only a partial view of what the world is seeing. Meanwhile, there's clearly a bar someplace with regard to whether an operator chooses to generate reports. I'm sure they all think operators support the idea of email authentication, but it's not clear whether they are prepared to make the investment to do so beyond getting the filtering part of DMARC working. As Doug put it, it depends on "the context of his own interest". I'm not sure this document making a normative assertion about that part of the question will move the needle at all. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc