Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/21/20 4:05 PM, Brandon Long wrote: > > > On Fri, Aug 21, 2020 at 12:24 PM Jim Fenton > wrote: > > On 8/17/20 3:52 PM, Jesse Thompson wrote: > > With a complex organization the only way to get people to change is to > publish a restrictive DMARC polic

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Fri, Aug 21, 2020 at 12:24 PM Jim Fenton wrote: > On 8/17/20 3:52 PM, Jesse Thompson wrote: > > With a complex organization the only way to get people to change is to > publish a restrictive DMARC policy and then see who comes out of the > woodwork sheepishly admitting that they've been ignori

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/17/20 3:52 PM, Jesse Thompson wrote: > With a complex organization the only way to get people to change is to > publish a restrictive DMARC policy and then see who comes out of the woodwork > sheepishly admitting that they've been ignoring us for years. > > Normal people sending email (esp

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/18/20 3:54 AM, Alessandro Vesely wrote: > On Tue 18/Aug/2020 01:39:16 +0200 Jesse Thompson wrote: >> On 8/7/20 9:32 PM, John Levine wrote: We need spoofing protection for all of our domains without being told we're misdeploying. >>> >>> I would be interested to better undertstand th

Re: [dmarc-ietf] non-mailing list use case for differing header domains

iling list use case for differing header domains On 8/7/20 9:32 PM, John Levine wrote: >> We need spoofing protection for all of our domains without being told we're >> misdeploying. > > I would be interested to better undertstand the meaning of "need" > her

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue 18/Aug/2020 01:39:16 +0200 Jesse Thompson wrote: > On 8/7/20 9:32 PM, John Levine wrote: >>> We need spoofing protection for all of our domains without being told we're >>> misdeploying. >> >> I would be interested to better undertstand the meaning of "need" >> here. It is my impression tha

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/7/20 9:32 PM, John Levine wrote: >> We need spoofing protection for all of our domains without being told we're >> misdeploying. > > I would be interested to better undertstand the meaning of "need" > here. It is my impression that most people vastly overestimate how > much of a phish target

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/13/20 10:03 AM, John R Levine wrote: >> -Admittedly, that's where my bias comes in. My job is working with >> organizations that have paid my employer for me to be that outside help, so >> it's rare for me to see how badly it can be done by people setting >> restrictive DMARC policies witho

Re: [dmarc-ietf] non-mailing list use case for differing header domains

-Admittedly, that's where my bias comes in. My job is working with organizations that have paid my employer for me to be that outside help, so it's rare for me to see how badly it can be done by people setting restrictive DMARC policies without knowing what they're doing. If they all talked t

Re: [dmarc-ietf] non-mailing list use case for differing header domains

__ From: Neil Anuskiewicz Sent: Wednesday, August 12, 2020 3:17 PM To: John Levine Cc: dmarc@ietf.org ; Autumn Tyr-Salvia Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains > On Aug 7, 2020, at 12:12 PM, John Levine wrote: > > In article >

Re: [dmarc-ietf] non-mailing list use case for differing header domains

I do think that sometimes people don’t take p=reject seriously enough, and don’t realize how much time and monitoring and prep it takes. I mostly work with smaller entities but I advise staying at p=none of the time unless there’s spoofing. Otherwise, it’s reporting only, watch the reports, an

Re: [dmarc-ietf] non-mailing list use case for differing header domains

> On Aug 7, 2020, at 12:12 PM, John Levine wrote: > > In article > > you write: >> I feel like what is happening sometimes is that central university IT is >> trying to drag their whole institutions into a >> more secure posture before anybody in a position to stop them fully >> understan

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Alessandro observed: >> However, that kind of hush hush is not deterministic, since the >> protocol does not define the "external information". Providing for a >> URL pointing to such external source might help. Even an external reputation system requires recipient participation. That is why I

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 2020-08-09 6:54 p.m., Tõnu Tammer wrote: DMARC relies on SPF and DKIM. The latter is particularly important for the mailing lists to ensure that DMARC works. And when I read the cases it is clear that the issue is not of DMARC but of DKIM. Indeed, one of the proposed workarounds, Recognize

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/5/20 9:36 AM, Jesse Thompson wrote: > On 8/4/20 11:52 AM, Alessandro Vesely wrote: >> On 2020-08-04 6:10 p.m., Dotzero wrote: >>> There is another solution. Move users to a separate domain from the domain > Long ago we put users on our org domain as a way to unify users (in a very > decentral

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/9/2020 9:54 AM, Tõnu Tammer wrote: "Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature." If this is not the case, the relay is actually violating DKIM standard. However, a mailing

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Hi! I keep reading the discussion and I am surprised how people express views that current DMARC standard does not work. I am surprised that technical people here express this view. DMARC relies on SPF and DKIM. The latter is particularly important for the mailing lists to ensure that DMARC works

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Hello, Quick correction: As DMARC requires only either DKIM or SPF which I had confused, this removes the need for the proposal point 1). Thanks for the off-list help received. This seems to be mostly an SPF issue, but still remains when - SPF used used alone without DMARC (not sure if relevant

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Hello, I have been lurking here around for a while and we have been working at M3AAWG for some time as well. Today’s DMARC is breaking more and more email as it gets more widely and often overly strictly deployed. I feel the major issue with DMARC is email forwarding in it’s many forms, in ad

Re: [dmarc-ietf] non-mailing list use case for differing header domains

lf. Do we move forward with an approach like this? From: Alessandro Vesely Sent: 8/8/20 5:52 AM To: dmarc@ietf.org Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains On 2020-08-08 4:27 a.m., John Levine wrote: > > Some years ba

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 2020-08-08 4:27 a.m., John Levine wrote: Some years back people kept asking Spamhaus to set up a whitelist, so they hired me to do it. Technically it worked fine, but it soon became apparent that the only people who were interested weren't people who we'd want to whitelist. The good quality s

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/7/2020 7:32 PM, John Levine wrote: I would be interested to better undertstand the meaning of "need" here. It is my impression that most people vastly overestimate how much of a phish target they are. Paypal and big banks certainly are, other places, a lot less so. I suspect the calculus

Re: [dmarc-ietf] non-mailing list use case for differing header domains

In article <78fd8b26-0bed-ac36-842d-a851ec04d...@wisc.edu> you write: >On 8/7/20 2:12 PM, John Levine wrote: >> My guess is that MIT figured Microsoft will host this for free, that's >> great, totally unaware that some of its users' mail would silently >> break. > >Customers of Microsoft don't like

Re: [dmarc-ietf] non-mailing list use case for differing header domains

In article <10c441a53dec4277a3153ed8d89d3...@bayviewphysicians.com> you write: >-=-=-=-=-=- > >Murray, I have most recently used this link at AOL/Yahoo: >https://postmaster.verizonmedia.com/sender-request > >I have considered using the more complete "Complaint Feedback Loop", >https://postmast

Re: [dmarc-ietf] non-mailing list use case for differing header domains

6 PM To: Doug Foster Cc: Dave Crocker , IETF DMARC WG Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains On Sun, Aug 2, 2020 at 5:44 PM Douglas E. Foster wrote: Murray took server too literally. I have expressed before that a system could do a sender authenticati

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/7/20 2:12 PM, John Levine wrote: > In article > > you write: >> I feel like what is happening sometimes is that central university IT is >> trying to drag their whole institutions into a >> more secure posture before anybody in a position to stop them fully >> understands what's going on

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Sun, Aug 2, 2020 at 5:44 PM Douglas E. Foster < fost...@bayviewphysicians.com> wrote: > Murray took server too literally. I have expressed before that a system > could do a sender authentication lookup on List-ID as easily as on From. > In this respect, it is similar to Dave's proposal, witho

Re: [dmarc-ietf] non-mailing list use case for differing header domains

In article you write: >I feel like what is happening sometimes is that central university IT is >trying to drag their whole institutions into a >more secure posture before anybody in a position to stop them fully >understands what's going on lest they be told to >stop because it might make thi

Re: [dmarc-ietf] non-mailing list use case for differing header domains

er adoption. Thanks, Autumn Tyr-Salvia atyrsal...@agari.com Agari Principal Customer Success Engineer From: dmarc on behalf of Dotzero Sent: Wednesday, August 5, 2020 12:52 PM To: Jesse Thompson Cc: IETF DMARC WG Subject: Re: [dmarc-ietf] non-mailing list

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 2020-08-05 9:52 p.m., Dotzero wrote: > Required authentication for .gov domains moved forward in fits and > starts up to the point of the DHS mandate. DHS approached the use > of DMARC and authentication as a blunt one size fits all > instrument. That makes sense! If you look at email from a u

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Wed, Aug 5, 2020 at 12:39 PM Jesse Thompson wrote: > On 8/4/20 11:52 AM, Alessandro Vesely wrote: > > On 2020-08-04 6:10 p.m., Dotzero wrote: > >> On Tue, Aug 4, 2020 at 11:39 AM Jim Fenton > wrote: > >>> On 8/2/20 5:43 PM, Douglas E. Foster wrote: > As to the transparency question, it s

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/4/20 11:52 AM, Alessandro Vesely wrote: > On 2020-08-04 6:10 p.m., Dotzero wrote: >> On Tue, Aug 4, 2020 at 11:39 AM Jim Fenton wrote: >>> On 8/2/20 5:43 PM, Douglas E. Foster wrote: As to the transparency question, it should be clear that there will be no simple solution to the ML

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 2020-08-04 6:10 p.m., Dotzero wrote: > On Tue, Aug 4, 2020 at 11:39 AM Jim Fenton wrote: >> On 8/2/20 5:43 PM, Douglas E. Foster wrote: >>> As to the transparency question, it should be clear that there will be >>> no simple solution to the ML problem. >> >> Actually, there is: If your domain h

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue, Aug 4, 2020 at 11:39 AM Jim Fenton wrote: > On 8/2/20 5:43 PM, Douglas E. Foster wrote: > > As to the transparency question, it should be clear that there will be > > no simple solution to the ML problem. > > Actually, there is: If your domain has users that use mailing lists, > don't pub

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/2/20 5:43 PM, Douglas E. Foster wrote: > As to the transparency question, it should be clear that there will be > no simple solution to the ML problem. Actually, there is: If your domain has users that use mailing lists, don't publish 'reject' or 'quarantine' policies. Generally this means t

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/2/20 2:24 PM, John R Levine wrote: >>> If they would provide a way to register a mailing list and the servers >>> from which it comes, and allow DMARC exceptions for traffic from those >>> registered lists, your situation would be much easier? > > If large mail providers were willing to whitel

Re: [dmarc-ietf] non-mailing list use case for differing header domains

This is a known issue with many calendaring frameworks. Besides the issue of delegates who are sending on behalf of someone in another domain, most calendaring systems send "forwarded" invitations by trying to resend in the name of the event originator. --Kurt _

Re: [dmarc-ietf] non-mailing list use case for differing header domains

John R Levine skrev den 2020-08-02 23:24: If large mail providers were willing to whitelist known mailing lists we wouldn't need ARC. if no one breaked dkim then we did not need arc See previous messages for why that isn't sufficient. missing arc will not break spf dkim, but it preserves s

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 03/08/2020 01:43, Douglas E. Foster wrote: > > I am not sure what "Internet Scale" means to you.   Most of the major > recipients have bulk mailer registration systems.   It does not > guarantee whitelisting, but it tends to produce that effect.   I have > had occasion to register with most of t

Re: [dmarc-ietf] non-mailing list use case for differing header domains

no other possibilities on this side of FantasyLand. DF From: Dave Crocker Sent: 8/2/20 5:29 PM To: IETF DMARC WG Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains On 8/2/2020 2:22 PM, Murray S. Kucherawy wrote: > Ignorin

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 8/2/2020 2:22 PM, Murray S. Kucherawy wrote: Ignoring for the moment the problems of scale with any "register your lists" solution, I don't think users can reasonably be expected to keep such a registration current if, say, the servers were to move.  Such a migration would no longer be trans

Re: [dmarc-ietf] non-mailing list use case for differing header domains

If they would provide a way to register a mailing list and the servers from which it comes, and allow DMARC exceptions for traffic from those registered lists, your situation would be much easier? If large mail providers were willing to whitelist known mailing lists we wouldn't need ARC. See

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Sun, Aug 2, 2020 at 11:55 AM Douglas E. Foster < fost...@bayviewphysicians.com> wrote: > If they would provide a way to register a mailing list and the servers > from which it comes, and allow DMARC exceptions for traffic from those > registered lists, your situation would be much easier? > Ig

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Is it fair to say that AOL/Yahoo/Verizon is the core of the problem for you? No, it is fair to say that misuse of DMARC is the problem. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly

Re: [dmarc-ietf] non-mailing list use case for differing header domains

From: "John Levine" Sent: 8/2/20 12:58 PM To: dmarc@ietf.org Cc: fost...@bayviewphysicians.com Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains In article you write: >I wonder if this is typical - are mailing list subscribers m

Re: [dmarc-ietf] non-mailing list use case for differing header domains

In article you write: >I wonder if this is typical - are mailing list subscribers more likely to be >on DMARC-enforcing domains than the general population? > >Do the mailing list operators have data about what percentage of their >subscribers (or percentage of unique domains) have DMARC policy

Re: [dmarc-ietf] non-mailing list use case for differing header domains

From: Neil Anuskiewicz Sent: 8/1/20 9:27 PM To: Luis E. Muñoz Cc: dmarc@ietf.org Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains I looked at ~3.5 million domain names and here's some of what I found. This data might be useful to the discu

Re: [dmarc-ietf] non-mailing list use case for differing header domains

I looked at ~3.5 million domain names and here's some of what I found. This data might be useful to the discussion. As for me, I'm lurking and learning.. Anyway, I looked at ~3.5 million domain names and here's some of what I found: FTSE DMARC Adoption DMARC Policy 10/18/2019 No record 56% none 34

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Fri, 31 Jul 2020, Jesse Thompson wrote: I think they want their IT staff to deploy an email system and policies that work the way they would expect. They want their organization to be seen as secure, so they don't want to be on the Buzzfeed list of Fortune 500 companies that have neglected

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/31/20 2:30 PM, John Levine wrote: > In article you write: >> I think you're right, and isn't the market indicating that there is demand >> for DMARC designed for other usage patterns? e.g. >> Would the CEO of any of those fortune 500 companies like the idea of their >> personal address bei

Re: [dmarc-ietf] non-mailing list use case for differing header domains

In article you write: >I think you're right, and isn't the market indicating that there is demand for >DMARC designed for other usage patterns? e.g. >Would the CEO of any of those fortune 500 companies like the idea of their >personal address being spoofed? I dunno. Would they like the idea of

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/30/20 5:52 PM, Jim Fenton wrote: > There's an underlying assumption here that I don't agree with: that > DMARC adoption equates to the publication of a p=reject DMARC policy, > and that everyone (or at least all Fortune 500 companies) should be > doing that. p=reject should only be used when t

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Wed 29/Jul/2020 19:34:48 +0200 Hector Santos wrote: On 7/28/2020 1:19 PM, Doug Foster wrote: Hector, I do not understand this comment: "The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party domains. DMARC did not address the problem and reason ADSP was abandoned. Hence

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 30 Jul 2020, at 15:52, Jim Fenton wrote: There's an underlying assumption here that I don't agree with: that DMARC adoption equates to the publication of a p=reject DMARC policy, and that everyone (or at least all Fortune 500 companies) should be doing that. p=reject should only be used when

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/28/20 2:07 AM, Laura Atkins wrote: > The underlying belief with DMARC is that mail is simple, that > companies are monoliths with only a few brands/domains, that it is > possible to know exactly where every message will come from. These > assumptions are not and have never been true. Inevitabl

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/30/20 2:47 PM, superu...@gmail.com wrote: > Email domains that have more than a few users don't want to authorize > every potential 3rd party (converges quickly to all of them, for > large/complex organizations) to sign as every user/address in the domain.  > Even if SPF didn't have the

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/30/20 2:47 PM, superu...@gmail.com wrote: > Translated into IETF-ese: "I have not read your document but I do have an > opinion about it..."   ;-) Yeah, Dave sent me that feedback too. I was just trying to make it clear that I only have $0.02 to give, rather than trying to sound like I'm a

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Thu, Jul 30, 2020 at 10:26 AM Jesse Thompson wrote: > I admittedly know nothing about ATPS, but I think its fundamental problem > is that it authorizes 3rd parties at the domain level and that makes it not > much better than SPF, just different. > Translated into IETF-ese: "I have not read yo

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/29/20 12:34 PM, Hector Santos wrote: > On 7/28/2020 1:19 PM, Doug Foster wrote: >> Hector, I do not understand this comment: >> >> "The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party >> domains. DMARC did not address the problem and reason ADSP was abandoned. >> Hence

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/30/2020 7:57 AM, Ken O'Driscoll wrote: On 30/07/2020 11:39, Jeremy Harris wrote: That works at a domain-controlled level. But people sign up for, and write to, mailinglists on an individual level. Mismatch. To be fair, this thread is specifically about a non-MLM use case at an organisat

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/30/2020 6:39 AM, Jeremy Harris wrote: On 29/07/2020 18:34, Hector Santos wrote: Look at my DMARC record for my isdg.net domain: v=DMARC1; p=reject; atps=y; rua=mailto:dmarc-...@isdg.net; ruf=mailto:dmarc-...@isdg.net; The atps=y [...] So anyone out there can see that I authorized bayviewp

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 30/07/2020 11:39, Jeremy Harris wrote: > That works at a domain-controlled level. But people sign up for, > and write to, mailinglists on an individual level. Mismatch. To be fair, this thread is specifically about a non-MLM use case at an organisational level. But, I believe that any improve

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 29/07/2020 18:34, Hector Santos wrote: > Look at my DMARC record for my isdg.net domain: > > v=DMARC1; p=reject; atps=y; rua=mailto:dmarc-...@isdg.net; > ruf=mailto:dmarc-...@isdg.net; > > The atps=y [...] > So anyone out there can see that I authorized bayviewphysicians.com to > sign for isdg

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On the issue of spoofing, only two security postures are possible in the incoming mail gateway: We allow spoofing by default, then block problematic spoofing as detected, on a case-by-case basis.We disallow spoofing by default, then allow desired mail as needed, on a case-by-case basis. Only the

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/28/2020 1:19 PM, Doug Foster wrote: Hector, I do not understand this comment: "The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party domains. DMARC did not address the problem and reason ADSP was abandoned. Hence the on-going dilemma." SSP, ADSP and DMARC are techn

Re: [dmarc-ietf] non-mailing list use case for differing header domains

> On 29 Jul 2020, at 13:46, Todd Herr > wrote: > > > > On Wed, Jul 29, 2020 at 6:55 AM Laura Atkins > wrote: > > I’m not sure why deliverability people are even mentioned here. The problems > with DMARC primarily affect one-to-one or one-to-few mails, not b

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Wed, Jul 29, 2020 at 6:55 AM Laura Atkins wrote: > > I’m not sure why deliverability people are even mentioned here. The > problems with DMARC primarily affect one-to-one or one-to-few mails, not > bulk mails. The breakage DMARC causes doesn’t really affect marketing, > newsletters or anything

Re: [dmarc-ietf] non-mailing list use case for differing header domains

> On 28 Jul 2020, at 23:54, John R Levine wrote: > Which verdict gets applied to the message? >>> >>> I believe the reasoanble answer is both, and the filtering engine >>> evaluates both based on their reputations. >>> >> Two responses, two different but equally valid answers, the other

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue 28/Jul/2020 23:23:24 +0200 John R Levine wrote, quoting Autumn: To Todd's point, I think the answer on which policy would be applied at least needs to be predictable. If one receiver chooses one policy and a different receiver chooses the other policy, that is going to make it significant

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue 28/Jul/2020 19:19:50 +0200 Doug Foster wrote: > Hector, I do not understand this comment: > >> "The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party >> domains. DMARC did not address the problem and reason ADSP was abandoned. >> Hence the on-going dilemma." > > Doma

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Which verdict gets applied to the message? I believe the reasoanble answer is both, and the filtering engine evaluates both based on their reputations. Two responses, two different but equally valid answers, the other (Dave's) being "receiver discretion", which *could* be an umbrella term to i

Re: [dmarc-ietf] non-mailing list use case for differing header domains

To Todd's point, I think the answer on which policy would be applied at least needs to be predictable. If one receiver chooses one policy and a different receiver chooses the other policy, that is going to make it significantly more complicated for complex organizations to implement a DMARC p=r

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/28/2020 2:11 PM, Autumn Tyr-Salvia wrote: To Todd's point, I think the answer on which policy would be applied at least needs to be predictable. If one receiver chooses one policy and a different receiver chooses the other policy, that is going to make it significantly more complicated for

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue, Jul 28, 2020 at 5:11 PM Autumn Tyr-Salvia wrote: > To Todd's point, I think the answer on which policy would be applied at > least needs to be predictable. If one receiver chooses one policy and a > different receiver chooses the other policy, that is going to make it > significantly more

Re: [dmarc-ietf] non-mailing list use case for differing header domains

-ietf] non-mailing list use case for differing header domains On Tue, Jul 28, 2020 at 4:30 PM John R Levine mailto:jo...@taugh.com>> wrote: On Tue, 28 Jul 2020, Todd Herr wrote: > Using the Sender header and the "snd" bits in the DMARC policy for > f

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/28/2020 1:58 PM, Todd Herr wrote: but I do believe that there will have to evolve a very limited set of known and expected possibilities for how such messages will be handled, or else wails will be wailed, teeth will be gnashed, and garments will be rent, especially among those trying to d

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue, Jul 28, 2020 at 4:30 PM John R Levine wrote: > On Tue, 28 Jul 2020, Todd Herr wrote: > > Using the Sender header and the "snd" bits in the DMARC policy for > > firstbrand.com, DMARC would pass for the Sender domain and fail for the > > From domain. > > > > Which verdict gets applied to th

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue, 28 Jul 2020, Todd Herr wrote: Using the Sender header and the "snd" bits in the DMARC policy for firstbrand.com, DMARC would pass for the Sender domain and fail for the From domain. Which verdict gets applied to the message? I believe the reasoanble answer is both, and the filtering en

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/28/2020 1:13 PM, Todd Herr wrote: On Tue, Jul 28, 2020 at 1:37 PM John Levine > wrote: The canonical example of different From and Sender is exactly this: Sender is an assistant working for and sending mail for From. This is also precisely the situation I

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue, Jul 28, 2020 at 1:37 PM John Levine wrote: > In article < > by5pr13mb29998094418c8a6c25902569d7...@by5pr13mb2999.namprd13.prod.outlook.com> > you write: > >To put it another way: > > > > * assist...@firstbrand.com is organizing a meeting for > execut...@secondbrand.com > > * assist.

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/28/20 10:59 AM, Alessandro Vesely wrote: > I understood the problem is the lack of agility.  Delegation to smaller > domains using local servers would solve it, wouldn't it?  Even with many > domains... > > What am I missing? It's assuming there are local servers in the mix, which is becom

Re: [dmarc-ietf] non-mailing list use case for differing header domains

In article you write: >To put it another way: > > * assist...@firstbrand.com is organizing a meeting for > execut...@secondbrand.com > * assist...@firstbrand.com sends out a calendar invite from their own > messaging client, using >execut...@secondbrand.com in the From: field > * The

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Hector, I do not understand this comment: "The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party domains. DMARC did not address the problem and reason ADSP was abandoned. Hence the on-going dilemma." Domains that participate with a mailing list have the option of including

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On 7/28/2020 5:07 AM, Laura Atkins wrote: The indirect mail stream issue is real. But it is not the only barrier to getting to p=reject. The sooner folks start listening to the people who are presenting real issues where DMARC alignment can’t be achieved the sooner they’ll be able to address the

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue 28/Jul/2020 17:22:41 +0200 Laura Atkins wrote: On 28 Jul 2020, at 16:14, Alessandro Vesely wrote: On Tue 28/Jul/2020 11:07:19 +0200 Laura Atkins wrote: On 28 Jul 2020, at 08:36, Alessandro Vesely wrote: On Tue 28/Jul/2020 08:54:02 +0200 Autumn Tyr-Salvia wrote: # The resulting message

Re: [dmarc-ietf] non-mailing list use case for differing header domains

> On 28 Jul 2020, at 16:14, Alessandro Vesely wrote: > > On Tue 28/Jul/2020 11:07:19 +0200 Laura Atkins wrote: >>> On 28 Jul 2020, at 08:36, Alessandro Vesely >> On Tue 28/Jul/2020 08:54:02 +0200 Autumn Tyr-Salvia wrote: > # The resulting message uses execut...@secondbrand.com in the frie

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue 28/Jul/2020 11:07:19 +0200 Laura Atkins wrote: On 28 Jul 2020, at 08:36, Alessandro Vesely # The resulting message uses execut...@secondbrand.com in the friendly From: field, but firstbrand.com in the SMTP MAIL FROM domain, so the headers are no longer aligned for SPF. >>> # Heck, c

Re: [dmarc-ietf] non-mailing list use case for differing header domains

@dmarc.ietf.org Sent: 7/28/20 2:54 AM To: "dmarc@ietf.org" Subject: [dmarc-ietf] non-mailing list use case for differing header domains Hello, I recently had a conversation with Dave Crocker about proposed changes for DMARC, and mentioned a use case to him that is not well served by t

Re: [dmarc-ietf] non-mailing list use case for differing header domains

> On 28 Jul 2020, at 08:36, Alessandro Vesely wrote: > > On Tue 28/Jul/2020 08:54:02 +0200 Autumn Tyr-Salvia wrote: >> # The resulting message uses execut...@secondbrand.com in the friendly From: >> field, but firstbrand.com in the SMTP MAIL FROM domain, so the headers are >> no longer aligne

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue, Jul 28, 2020 at 2:54 AM Autumn Tyr-Salvia wrote: > Hello, > > I recently had a conversation with Dave Crocker about proposed changes for > DMARC, and mentioned a use case to him that is not well served by the > current situation that is not a mailing list. He said it might be useful to >

Re: [dmarc-ietf] non-mailing list use case for differing header domains

On Tue 28/Jul/2020 08:54:02 +0200 Autumn Tyr-Salvia wrote: # The resulting message uses execut...@secondbrand.com in the friendly From: field, but firstbrand.com in the SMTP MAIL FROM domain, so the headers are no longer aligned for SPF. # Heck, can't they DKIM sign? Best Ale --

[dmarc-ietf] non-mailing list use case for differing header domains

Hello, I recently had a conversation with Dave Crocker about proposed changes for DMARC, and mentioned a use case to him that is not well served by the current situation that is not a mailing list. He said it might be useful to share this to this list, so I'm writing it out here. A customer of