If the evaluator takes shortcuts, our options are - please don't report at all - please report only evaluated identifiers - please include identified but unevaluated identifiers using a not-evaluated status - please include evaluated identifiers and a Flag event to tell the domain owner that results are incomplete
I have no strong preference as long as the possibility is addressed. The not-evaluated status provides the most information. The incomplete flag handles all possible causes, including an evaluator who exits the process without parsing the entire header set. (Hopefully the least likely event.) These two options inform the domain owner that data is missing, which seems important. Doug On Mon, Oct 3, 2022, 12:10 PM Barry Leiba <barryle...@computer.org> wrote: > Personally, I think the right approach to this is a section about the > importance of reporting to keep domain owners informed and aware and > to promote wider adoption of authentication and policy protocols. > That section would say that reporting SHOULD be done for those reasons > and would explain the benefits. That would make it clear that the > SHOULD is not for interoperability, but for the reasons laid out in > that section. And then we use no further BCP 14 key words about > reporting, allowing that section to carry the message. > > Barry > > On Mon, Oct 3, 2022 at 12:01 PM Murray S. Kucherawy <superu...@gmail.com> > wrote: > > > > On Mon, Oct 3, 2022 at 10:26 AM Brotman, Alex <alex_brot...@comcast.com> > wrote: > >> > >> So we would likely need a section in the core document with a SHOULD > for evaluation (if it’s not already there), and then a section in the > aggregate reporting for a MUST for reporting on evaluated information (if > they choose to send reports at all), correct? > > > > > > I'm having a hard time coming up with a crisp answer to this. > > > > From a security perspective, failing to do either of these doesn't > create any sort of security exposure, so neither is justified. > > > > From an operations perspective, you could argue that doing both is > necessary for robustness and operator sanity (i.e., the complete picture is > recorded which enables debugging), so both are justified. > > > > From the actual protocol standpoint, the filtering part of DMARC > operates just fine if you make the shortcut Doug is proposing, so the first > SHOULD is probably apt but the MUST is moot because it doesn't change > interoperability. > > > > I guess it depends on what we think the priority is. > > > > -MSK > > > > _______________________________________________ > > dmarc mailing list > > dmarc@ietf.org > > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
