On Sunday, April 9, 2023 9:55:29 AM EDT John Levine wrote: > It appears that Matthäus Wander <mail@wander.science> said: > >Earlier in the discussion, the term high-value domain has been used > >(along with transactional email domain) in opposition to domain for > >general-purpose email. ... > > "High value" isn't a useful metric here. yahoo.com is a very valuable > domain, but they still shouldn't be using a reject policy. The useful > distinction is mail from people rather than mail from machines, > whether the latter is transactions or bulk. > > Keep in mind that DMARC policies cause damage to transactional mail, > too. If a sender only validates with SPF (still common because it's > cheap) and a recipient uses a forwarding address, transactional mail > will get lost. A while back I talked to some people who worked at > Paypal who told me of course they were aware of that, but for their > purposes and given what a phish target they are, they felt the > benefits were worth it. > > When someone sets a DMARC policy for mail from people, it's hard to > think of a time when they asked at wll whether that was what the > people wanted. Or if they did, they asked something like "do you want > your mail to be more secure?" which misses the point. > > R's, > John > > PS: I can make anyone's mail 100% secure by unplugging your mail > server but I'm pretty sure that's not what you want.
It gets even more complicated to describe. I am aware of companies that have policies that prohibit use of company assigned email addresses in mailing lists and other known rough spots for DMARC and published DMARC p=reject with the understanding that there is mail that won't get delivered as a result. They've evaluated the trade-offs and put policies in place with the understanding of the implications of them. They can do that. It's not even as simple as transactional/real users. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
