On Wed 25/Oct/2023 05:38:01 +0200 Murray S. Kucherawy wrote:
On Tue, Oct 24, 2023 at 11:15 AM Barry Leiba <barryle...@computer.org> wrote:
2. Do we have what we need to finish up the DMARCbis document, and
should the chairs cancel the session at 118?
A few questions, but they don't demand in-person time if we want to just
deal with them on the list:
* Is there consensus on moving ahead with the idea of a way to indicate
which authentication method(s) the Domain Owner wants Receivers to use? If
so, it doesn't seem to be in the document yet.
My recall is that we want to limit DMARC evaluation to DKIM only, for the edge
cases of domains with over-wide SPF policies, since they proved to be
vulnerable to false DMARC pass. The WG discussed the possibility to also
require both methods to limit replay, and concluded that the idea was a foot
gun. Hence the WG agreed on the comma syntax.
* Given some of the stuff we're hearing in the wings about the utility of
ARC, do we want to talk about it in -bis at all? The original plan (I
thought) was that if it turned out to be high signal, we could add it as a
third supported method. I'm hearing positive value from a couple of
operators, but nothing of the form "Yes, this solves the DMARC problem with
lists."
ARC was barely specified. A protocol to regulate in which cases it overrides
DMARC was not specified. A reporting mechanism was not specified. These
issues belong to the charter and I hope the WG will tackle them, after DMARCbis
last call. To merge an ARC applicability statement into DMARCbis would distort
it into an experimental thing, thereby failing to standardize it.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
