I agree with where you're coming from, as these were my same concerns as
well. That's why I also tried to say a couple of times that I feel if we
make an effort to make clear the interoperability expectations, but also
have accompanying language that those specific expectations do not make
a statement about perceived security benefits of strict DMARC
policies... - My hope is that should be sufficient enough of a
compromise to address everyone's concerns.
- Mark Alley
On 4/11/2023 10:15 AM, Neil Anuskiewicz wrote:
On Apr 11, 2023, at 4:29 AM, Douglas
Foster<dougfoster.emailstanda...@gmail.com> wrote:
Neil, I am slowly embracing the position of the Mailing List advocates.
If mailing lists and all other exceptional situations could be eliminated, evaluators
could mindlessly apply a rule to "block on fail when p=reject". Similarly, if
all evaluators would implement reliable mechanisms for domain members to request and
obtain exceptions for mailing lists and other exceptional traffic, then domain owners
could publish p=reject as soon as all of their traffic had signatures. Unfortunately, we
have a reality that some highly valued traffic arrives without authentication, and some
evaluators do not provide an effective exception process. This conundrum is aggravated
by filtering products that do not provide administrators with sufficient exception
configuration options. I am content with language that documents this conundrum.
The Internet will always be an environment of imperfect information, so the
only viable filtering scheme is one which expects and allows for exceptions.
Additionally, my defenses against impersonation should not be dependent on the
domain owner's policy statement. Any allowed message is implicitly assumed
to be free of impersonation, but assumptions are dangerous. It is my job to
replace guesswork with certainty based on research. As indicated earlier, this
can be done. Using DMARC, SPF, and local policy, I am at 100% verified for
MailFrom, and 97% verified for From. Mailing lists have nothing to fear from
my filtering and I have nothing to fear from p=none.
In short, we need smarter filtering.
Doug Foster
Mr. Foster, you seem (though I could be wrong) to be talking about inbound
where you have complete control but for policies set in domains sending
outbound, how would filters resolve the problem? We have little control over
outbound. Threat actors will Phish wherever the phishing is good.
I guess I was hoping that security could be the top priority but it’s likely
naïveté. I can see the I trade offs. You piss off too many people and you end
up with a standard nobody wants to use.
Neil
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
