There are options on TLS failure. Mandatory TLS is actually pretty common, since PCI DSS, HIPAA and GDBR have all been interpreted as requiring TLS on email. For outbound mail, our MTA is configured to drop the connection if encryption cannot be established. I think this configuration option has become pretty common in commercial products. Domains that cannot accept encrypted traffic are handled with secure web relay (Zixmail or one of its many imitators.) In the case of a report recipient that cannot accept TLS traffic, we would simply drop the destination.
For inbound mail, my organization has concluded that data security is the responsibility of the sender, so we do accept unencrypted messages. By and large, mandatory TLS will be implemented consistently, rather than on a specific message like a DMARC report, so I don't know how much needs to be said in this document. Doug On Tue, Apr 25, 2023 at 12:29 PM John R. Levine <jo...@iecc.com> wrote: > >> Since the only mechanism is mail and nobody's going to S/MIME encrypt > >> their reports, I suggest just deleting it. > > > > TLS vs not TLS. > > I suppose, but that's not up to the report sender. If I say > "rua=mailto:rep...@cruddy.org", and the MX for cruddy.org doesn't do > STARTTLS, what are you going to do? > > R's, > John > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc