Reading through the various discussions about how to document the harm DMARC causes for general purpose domains, I started thinking.One way that a lot of major SaaS providers have chose to deal with DMARC is spoofing their customer’s in the 5322.from Comment string. There are numerous examples of this: Paypal, Docusign, Sage, Intuit are 4 big examples I can think of off the top of my head.
All of these companies send out financial or business mail on behalf of their customers, some of whom do use p=reject on their own domains. Some of them also use restrictive DMARC policies for this mail, others don’t. Is this another issue we should document and make recommendations about? I was thinking along the line that transactional SaaS providers should fully support DMARC and should not allow companies using p=reject in their business mail to access the service? I keep going back and forth that this is not an interoperability issue - the mail works fine even when the business is spoofed in the 5322.from comment string. But on a practical level it looks exactly like phishing mail because it’s financial (or contractual) docs from a particular company coming from a random domain. I keep ending up this isn’t an interoperability issue, it’s just an end run around DMARC and it’s not the IETF’s place to comment on that. But I thought I’d bring the discussion up here to see if other folks had different opinions. laura -- The Delivery Experts Laura Atkins Word to the Wise la...@wordtothewise.com Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc