On Mon, Mar 18, 2024 at 2:38 AM John R Levine <jo...@taugh.com> wrote:
> On Sun, 17 Mar 2024, Dotzero wrote: > >> Whenever mail is sent, there is a risk that an overly permissive source > >> may send mail which will receive a DMARC pass result that was not, in > >> fact, authorized by the Domain Owner. These false positives may lead > >> to issues when systems interpret DMARC pass results to indicate > >> a message is in some way authentic. They also allow such unauthorized > >> senders to evade the Domain Owner's requested message handling for > >> authentication failures. > > > I have a problem with this 2nd paragraph and believe it is factually > > incorrect. The Domain Owner has in fact authorized the message(s) as a > > result of an overly permissive approach. I would suggest that in fact any > > resulting DMARC pass is technically NOT a false positive because it is > > authorized by the overly permissive approach.. > > Seems to me we it depends on what you think "authorized" means. My sense > is I told you it's OK to send the message, yours seme to be that any host > on an IP in the SPF record or anyone who steals your DKIM key is > authorized by definition. > > Is there some other wording that can make the difference clear? > > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly Here's a quick stab at some modified wording for the second paragraph: Whenever mail is sent, there is a risk that an overly permissive source may send mail which will receive a DMARC pass result that was not, in fact, intended by the Domain Owner. These results may lead to issues when systems interpret DMARC pass results to indicate a message is in some way authentic. They also allow such unauthorized senders to evade the Domain Owner's intended message handling for authentication failures. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
