Nick Tait wrote: > Nick Tait wrote: > > Perhaps the advice should be: If you are using Sendmail, then (a) you > > shouldn't publish a DMARC policy and (b) you shouldn't reject emails > > based on failed DMARC check; but if you aren't using Sendmail then as > > long as you don't mind rejecting emails from misconfigured domains, then > > it is fine to apply whatever policy is published by that domain? The way > > I see it at least when you reject an email it might give the sender a > > clue that they have a DMARC problem? ...That is, except when their email > > has been forwarded by a mailing list. :-( > > Sorry I meant to say: "If you are using Sendmail, then (a) you shouldn't > publish a */p=reject/* DMARC policy..."
DMARC is for other people for your outgoing mail. To instruct other sites as to what you wish them to do. It is these other sites that might be running Sendmail not yours. Whether you reject incoming mail based upon other people's DMARC settings is a different policy. You may or may not adhere to other people's policies for your incoming mail. Drift... I do not reject incoming mail for failing DMARC. Although I should. Because if the other sites have asked for that then it seems rude not to comply. But it is most often applied in error. I will leave enforcement to the large operations I publish a DMARC policy for outgoing mail. My published DMARC policy is "none". I think a strict DMARC policy is great for banks and other financial institutions that need that policy. They are not sending email through mailing lists for example. Their mail is direct between their sending host and your receiving host. Most of the time anyway. But I think a strict DMARC is unsuitable for wide use by users and wide usage everywhere such as mailing lists and so forth where it is expected that their messages will not take a direct path. Such as mail through this very mailing list. I expect to be sending my mail to a mailing list. I expect the mailing list to be mailing it out to other users. Therefore the best DMARC policy for me is "none". And I publish it so that sites like Google that score based upon the presence or absense of a DMARC policy will not score me with demerits for the absence of a DMARC policy. Bob
