On April 26, 2023 2:23:52 AM UTC, Jesse Thompson <z...@fastmail.com> wrote:
>On Tue, Apr 25, 2023, at 8:06 PM, John Levine wrote:
>> It appears that Scott Kitterman <skl...@kitterman.com> said:
>> >My recollection is that a general formulation that I proposed had at least
>> >some traction out of both groups:
>> >
>> >> [some appropriate description] domains MUST NOT publish restrictive DMARC
>> >> policies due to interoperability issues
>>
>> This seems like a reasonable approach. As a purely practical point, I
>> cannot imagine this document getting through the IESG without some
>> clear guidance about DMARC's interop issues.
>>
>> R's,
>> John
>>
>> PS: If anyone was going to suggest we just tell people how to change
>> their mailing lists to work around DMARC, don't go there.
>
>How about:
>
>Domains owners who have users who individually request 3rd parties to emit
>mail as an address within the domain MUST NOT publish a restrictive DMARC
>policy if they wish to support their users' usage of any potential 3rd party.
>Examples of 3rd parties include mailing lists and email service providers.
>These 3rd parties are not always aware of, or willing to work around, DMARC.
>Domain owners implementing DMARC as a means for governance by restricting the
>unauthorized usage of the domain MUST be aware that not all of the 3rd parties
>will make changes to work around DMARC, resulting in interoperability issues
>for their users' usage of the 3rd parties. Domain owners SHOULD provide an
>alternative address for these users within a cousin domain or subdomain that
>is not directly associated with the organization's brand-associated domain
>that is used for marketing and transactional email that needs the security
>benefits of DMARC. These users MUST use an address within a domain that does
>not h
ave a restrictive DMARC policy.
>
>(Not a troll. Not directly aware of humming (sorry, it's on my bucket list).
>Hopefully, didn't touch the 3rd rail. Honestly, in good faith, representing
>the perspective of an extremely large domain owner, users within said
>policy-restricted domain, and as a 3rd party commonly used by these, and
>similar, users.)
>
I never really got humming either (I mean I understand the theory and that it
works, but that doesn't make it not weird in my book).
I can see what you're attempting here and I see the logic. I think the
normative part would need to be about 90% shorter.
I think it misses the impact on innocent bystanders. When you send mail from a
domain with a restrictive policy and indirect recipients reject that mail, the
intermediary gets the bounce and things like involuntary unsubscriptions from
mailing lists result. It's not just about the impact on the relevant domain.
It's also about third party impacts.
Thanks,
Scott K
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
