Should it reference consumer-oriented domains instead? 

Users of comcast.net can't get an email account with out first being an ISP 
customer.  I don't believe the intent was to exclude them from the proposed 
language.  Similarly for a few other providers, and then there are explicit 
pay-for services like Fastmail, Tutanova, etc.  I would think they're in the 
same category?

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

> -----Original Message-----
> From: dmarc <dmarc-boun...@ietf.org> On Behalf Of Scott Kitterman
> Sent: Tuesday, March 28, 2023 12:18 PM
> To: dmarc@ietf.org
> Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
> 
> On Tuesday, March 28, 2023 11:58:40 AM EDT Todd Herr wrote:
> > Upon further reflection, I find myself liking Barry's proposed text
> > less, and instead propose the following:
> >
> > On Tue, Mar 28, 2023 at 9:42 AM Todd Herr <todd.h...@valimail.com> wrote:
> > > On 28 Mar 2023, at 17:15, Barry Leiba wrote:
> > >> > NEW
> > >> >
> > >> >    5.5.6.  Decide If and When to Update DMARC Policy
> > >> >
> > >> >    Once the Domain Owner is satisfied that it is properly
> > >> >    authenticating
> > >> >    all of its mail, then it is time to decide if it is appropriate to
> > >> >    change the p= value in its DMARC record to p=quarantine or p=reject.
> > >> >    Depending on its cadence for sending mail, it may take many months
> > >> >    of
> > >> >    consuming DMARC aggregate reports before a Domain Owner reaches
> the
> > >> >    point where it is sure that it is properly authenticating all of its
> > >> >    mail, and the decision on which p= value to use will depend on its
> > >> >    needs.
> > >> >
> > >> >    It is important to understand that many domains may never use
> > >> >    policies of “quarantine” or “reject”, and that these policies are
> > >> >    intended not as goals, but as policies available for use when they
> > >> >    are appropriate.  In particular, “reject” is not intended for
> > >> >    deployment in domains with users who send routine email, and its
> > >> >    deployment in such domains can disrupt indirect mail flows and cause
> > >> >    damage to operation of mailing lists and other forwarding services.
> > >> >    This is discussed in [RFC7960] and in Section 5.8, below.  The
> > >> >    “reject” policy is best reserved for domains that send only
> > >> >    transactional email that is not intended to be posted to mailing
> > >> >    lists.
> > > >
> > > >    To be explicitly clear: domains used for general-purpose email
> > > > MUST
> > > >
> > >> >    NOT deploy a DMARC policy of p=reject.
> >
> > NEW
> >
> > 5.5.6 Decide Whether to Update DMARC Policy
> >
> > Once the Domain Owner is satisfied that it is properly authenticating
> >
> > all of its mail, then it is time to decide if it is appropriate to
> >
> > change the p= value in its DMARC record to p=quarantine or p=reject.
> >
> > Depending on its cadence for sending mail, it may take many months
> >
> > of consuming DMARC aggregate reports before a Domain Owner reaches
> >
> > the point where it is sure that it is properly authenticating all
> >
> > of its mail, and the decision on which p= value to use will depend on
> > its needs.
> >
> > The policies "reject" and "quarantine" are more effective than "none"
> > for accomplishing the chief goal of DMARC, namely to stop the
> > exact-domain spoofing of the domain in the RFC5322.From header.
> > However, experience has shown that a policy of "reject" can result in
> > the disruption of indirect mail flows and cause damage to the
> > operation of mailing lists and other forwarding services; [@!RFC7960]
> > and [@!RFC8617] and Section 5.8, below, all discuss this topic and/or
> > possible strategies for addressing it.
> >
> > Because of these challenges, some domains, particularly those with
> > open signup capabilities, may prefer to remain at a policy of p=none.
> > This topic is discussed further in section 11.4 below.
> >
> > 11.4 Open Signup Domains and DMARC Policies
> >
> >
> > Certain domains with open signup capabilities, where anyone can
> > register an
> >
> > account and send mail, may not want to implement p=reject. An example
> > of such
> >
> > domains would be consumer mailbox providers that used to be known as
> > "freemail
> >
> > providers". Domains with no DMARC policy or a policy of p=none are
> > vulnerable
> >
> > to spoofing, but their users can send mail using these registered
> > email addresses
> >
> > from unrelated third party systems (such as "forward to a friend"
> > services) or participate
> >
> > in mailing lists without impediment. The security challenges that this
> > presents to the
> >
> > domain owner are left up to those systems that allow open registration
> > of users.
> 
> I don't understand the connection between DMARC policies and open signup
> domains?  What makes them in any way special relative to DMARC?
> 
> Scott K
> 
> 
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc__;!
> !CQl3mcHX2A!DOzdiSpU_A-
> KbSj6bpJZO_fnHiQ80eb3LTiQu2G9kcz185A1zp299yH6PyC4_Be61OT86Z4L1fyqtg
> Hk-xPY$
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to