Personally, I think the right approach to this is a section about the importance of reporting to keep domain owners informed and aware and to promote wider adoption of authentication and policy protocols. That section would say that reporting SHOULD be done for those reasons and would explain the benefits. That would make it clear that the SHOULD is not for interoperability, but for the reasons laid out in that section. And then we use no further BCP 14 key words about reporting, allowing that section to carry the message.
Barry On Mon, Oct 3, 2022 at 12:01 PM Murray S. Kucherawy <superu...@gmail.com> wrote: > > On Mon, Oct 3, 2022 at 10:26 AM Brotman, Alex <alex_brot...@comcast.com> > wrote: >> >> So we would likely need a section in the core document with a SHOULD for >> evaluation (if it’s not already there), and then a section in the aggregate >> reporting for a MUST for reporting on evaluated information (if they choose >> to send reports at all), correct? > > > I'm having a hard time coming up with a crisp answer to this. > > From a security perspective, failing to do either of these doesn't create any > sort of security exposure, so neither is justified. > > From an operations perspective, you could argue that doing both is necessary > for robustness and operator sanity (i.e., the complete picture is recorded > which enables debugging), so both are justified. > > From the actual protocol standpoint, the filtering part of DMARC operates > just fine if you make the shortcut Doug is proposing, so the first SHOULD is > probably apt but the MUST is moot because it doesn't change interoperability. > > I guess it depends on what we think the priority is. > > -MSK > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
