Reading through the various discussions about how to document the harm DMARC 
causes for general purpose domains, I started thinking.One way that a lot of 
major SaaS providers have chose to deal with DMARC is spoofing their customer’s 
in the 5322.from Comment string. There are numerous examples of this: Paypal, 
Docusign, Sage, Intuit are 4 big examples I can think of off the top of my 
head. 

All of these companies send out financial or business mail on behalf of their 
customers, some of whom do use p=reject on their own domains. Some of them also 
use restrictive DMARC policies for this mail, others don’t. 

Is this another issue we should document and make recommendations about? I was 
thinking along the line that transactional SaaS providers should fully support 
DMARC and should not allow companies using p=reject in their business mail to 
access the service? 

I keep going back and forth that this is not an interoperability issue - the 
mail works fine even when the business is spoofed in the 5322.from comment 
string. But on a practical level it looks exactly like phishing mail because 
it’s financial (or contractual) docs from a particular company coming from a 
random domain. I keep ending up this isn’t an interoperability issue, it’s just 
an end run around DMARC and it’s not the IETF’s place to comment on that. 

But I thought I’d bring the discussion up here to see if other folks had 
different opinions.

laura 





-- 
The Delivery Experts

Laura Atkins
Word to the Wise
la...@wordtothewise.com         

Email Delivery Blog: http://wordtothewise.com/blog      






_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to