On Monday, April 17, 2023 4:29:45 AM EDT Laura Atkins wrote: > Reading through the various discussions about how to document the harm DMARC > causes for general purpose domains, I started thinking.One way that a lot > of major SaaS providers have chose to deal with DMARC is spoofing their > customer’s in the 5322.from Comment string. There are numerous examples of > this: Paypal, Docusign, Sage, Intuit are 4 big examples I can think of off > the top of my head. > > All of these companies send out financial or business mail on behalf of > their customers, some of whom do use p=reject on their own domains. Some of > them also use restrictive DMARC policies for this mail, others don’t. > > Is this another issue we should document and make recommendations about? I > was thinking along the line that transactional SaaS providers should fully > support DMARC and should not allow companies using p=reject in their > business mail to access the service? > > I keep going back and forth that this is not an interoperability issue - the > mail works fine even when the business is spoofed in the 5322.from comment > string. But on a practical level it looks exactly like phishing mail > because it’s financial (or contractual) docs from a particular company > coming from a random domain. I keep ending up this isn’t an > interoperability issue, it’s just an end run around DMARC and it’s not the > IETF’s place to comment on that. > > But I thought I’d bring the discussion up here to see if other folks had > different opinions.
Many mailing lists do the same as part of their DMARC From re-writing work- around. I think it's out of scope for DMARC. DMARC is wired to 5322.from and not the Comment string. The thing is, it's a comment string, so on what basis is any particular comment good or bad? That's a complicated question and I think we have enough to do without trying to tackle this too. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
