On 11/10/2014 5:52 PM, Murray S. Kucherawy wrote: > I've posted an update to the base draft, based on recent feedback from > Ned and others.
Tidbits... Intro: > Security terms used in this document are defined in [SEC-TERMS]. There's a Terminology section, so this really belongs there. 2.2: > attacks in the RFC5322.From field, also known as "display-name" > attacks; attacks on using the free-form portion of the RFC5322.From field, also known as "display-name" attacks, after its ABNF rulename; 3.13: The Flow Diagram inneeds to have the DKIM and SPF boxes /also/ connected directly to the Filtering Engine, since they still provide information directly to it. I suggest either: +---------------+ | Author Domain |< . . . . . . . . . . . . . . . . . . . . . . . +---------------+ . . . | . . . V V V . +-----------+ +--------+ +----------+ +----------+ . | MSA |<****| DKIM | | DKIM | | SPF | . | Service | | Signer | | Verifier | | Verifier | . +-----------+ +--------+ +----------+ +----------+ . | * * . | * . * . V ************** . * . +------+ (~~~~~~~~~~~~) +------+ * . | oMTA |------->( other MTAs )---->| rMTA | * . +------+ (~~~~~~~~~~~~) +------+ * . | * ....... | ************** . V V * . +-----------+ V V +---------+ | MDA | +----------+ | User |<--| Filtering |<***>| DMARC | | Mailbox | | Engine | | Verifier | +---------+ +-----------+ +----------+ or +---------------+ | Author Domain |. . . . . . . . . . . . . . . . . . . . . . . +---------------+ . . . | . . . V V V . +------------+ +--------+ +----------+ +----------+ . | MSA |<****| DKIM | | DKIM | | SPF | . | Service | | Signer | | Verifier | | Verifier | . +------------+ +--------+ +----------+ +----------+ . | * * V | * * +----------+ | *************>| DMARC | | * | Verifier | | * +----------+ | * * | * ******** | * * | V V V +-----------+ +------+ (~~~~~~~~~~~~) +------+ | MDA | | sMTA |--->( other MTAs )--->| rMTA |--->| Filtering | +------+ (~~~~~~~~~~~~) +------+ | Engine | +-----------+ +---------+ | | User |<-------+ | Mailbox | +---------+ Since Murray saw a variant of the latter from me earlier, he won't be surprised that I prefer it... 5. Policy: > A Domain Owner may choose not to participate in DMARC evaluation by may -> can (I'm assume that we don't use normative language to tell people that the have the right to opt out of a specification... Hmmm. Normative language would actually be contradictory, I think...) > Mail Receivers. In this case, the Domain Owner simply declines to > advertise participation in those schemes. For example, if the > results of path authorization checks ought not be considered as part > of the overall DMARC result for a given Author Domain, then the > Domain Owner does not publish an SPF policy record that can produce > an SPF pass result. The way to opt out of DMARC is to not publish a DMARC record. So "those schemes" doesn't make sense to me, nor does the reference to an SPF record. I think this should say: Mail Receivers. In this case, the Domain Owner simply declines to advertise participation. That is, the Domain Owner does not publish a DMARC record in the DNS. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc