I am reluctant to consider DMARCbis ready to button-up unless we have at least a rough idea of how an evaluator uses it safely and appropriately in the real world.
Doug On Sun, Aug 6, 2023, 2:38 PM Scott Kitterman <skl...@kitterman.com> wrote: > On Sunday, August 6, 2023 2:10:35 PM EDT Hector Santos wrote: > > > On Aug 5, 2023, at 5:37 PM, Scott Kitterman <skl...@kitterman.com> > wrote: > > > > > > On Saturday, August 5, 2023 3:59:02 PM EDT John Levine wrote: > > >> It appears that Scott Kitterman <skl...@kitterman.com> said: > > >>>> When receivers apply the "MUST NOT reject" in Section 8.6 to accept > > >>>> unauthenticated messages as quarantined messages, receivers SHOULD > > >>>> carefully review how they forward mail traffic to prevent additional > > >>>> security risk. That is, this downgrade can enable spoofed messages > > >>>> that > > >>>> are SPF DMARC authenticated with a fraudulent From identity despite > > >>>> having > > >>>> an associated strong DMARC policy of "p=reject". ... > > >> > > >> We all realize that SPF has problems, but I really do not want to fill > > >> up the DMARC document with text that says "you can authenticate with > > >> SPF, hahaha no just kidding." > > >> > > >> The way to fix Microsoft's forwarding SPF problem is for Microsoft to > put > > >> the forwarding user's bounce address on the message, not for us to > tell > > >> the entire world to use kludgy workarounds. > > > > > > I agree. We need to be careful to solve protocol problems in the > protocol > > > and leave fixing implementation problems to implementers. We aren't > > > going to protocol our way out of bad implementation decisions. > > > > Taken within the good-intention, protocol-compliant implementations, > which > > one do we add as “Implementations Notes?” Which or rather What are > > “Current Practice”behavior can we note? > > I think best current practice goes in a different document. Maybe we do > that > after DMARCbis is buttoned up? > > Scott K > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
