On 20 Nov 2019, at 8:17, Jon Burke via mailop wrote:
I know ISPs can enforce a stricter policy (e.g. reject although policy is p=quarantine) but I don't often see ISPs applying a more lenient response than stated in the DMARC policy. I can think of one reason for doing so (user added the sender to his / her safe-sender list) and wanted to ask if you know of some other reasons?
I don't know if mass-market ISPs view it this way, but in my roles with email hosting providers I have never seen DMARC policies taken seriously except as a nuisance for the operation of discussion mailing lists. In a brief inadvertent experiment involving a discussion list last year, I found that honoring "p=reject" was done only by a small handful of unfortunately large consumer mailbox providers. There has also recently been substantial upset in the SpamAssassin user community caused by the unannounced addition of DMARC policy enforcement to a widely-used 3rd-party SpamAssassin ruleset.
The reason for ignoring p=reject is simply that it results in rejecting more legitimate mail with broken signatures than it results in rejections of actual forgeries that would not otherwise be rejected. The reason for ignoring p=quarantine is that "quarantines" (and their close cousins "spam folders") are not worth the troubles they can cause for sites which mostly do very good spam classification, because users discount the potential of there being anything of value in the quarantine.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
