On Sun, Apr 9, 2023 at 6:33 AM Jesse Thompson <z...@fastmail.com> wrote:
> As Todd previously stated, my preference is for language that acknowledges > the primacy of the domain owner over interoperability. CISOs have been sold > (arguably, by the DMARC deployment companies' marketing) on the idea that > there are security benefits. Maybe oversold, but there are benefits and the > motivation will not change. Let's not also overlook the primary benefit of > _the process of deploying DMARC_ gives to an organization: increased > management and governance (enabled by the observability from the reports). > In any case, the domain owner is motivated to deploy DMARC and gain the > perceived benefits. If we are going to tell these motivated domain owners > to MUST do something, at least make it something they might consider doing. > I don't think the way DMARC has been marketed is germane to discussions about interoperability, which is what "MUST NOT" type language seeks to resolve. Nobody is denying that there's a security problem to be dealt with here. It's a question of whether the side effects are acceptable. And given that DMARC only addresses direct domain attacks, and not lookalikes or similar, I suggest that there's a clear imbalance when comparing the net benefits to the aggregate costs. If we're going to argue that that's not true, the document probably needs to give that a much more thorough treatment than it currently does. > "Before a general purpose domain publishes p=reject|quarantine, the domain > owner MUST emit mail from, or provide to their stakeholders/end-users, an > alternative domain or subdomain with a p=none policy for any email that > needs to traverse a non-DMARC-mitigating MLM or (more generally) from any > 3rd party that cannot be authorized by SPF or DKIM alignment." > I think something like this is worthy of consideration. It (or something like it) is the very least we can do. It is the very least we must do. -MSK, participating
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc