On 7/5/12 2:54 PM, "Chris Lamont Mankowski" <[email protected]> wrote:
>Given that: > > * Whitelisting mailing lists is really the only way to get DMARC to >work with messages forwarded by lists. I donĀ¹t agree with the premise that this is something about which we need to be concerned on this project. Who gets phished via mailing lists? > >We all know that the "p=" parameter applies policy when either the SPF >check or DKIM signature fails. I'm suggesting that a "p2=' parameter >be created to match a DKIM alignment and a SPF fail. It is >conceivable that a "p1=" parameter be created for occasions when the >SPF aligns and DKIM fails. There's a conflation in terms here. When you say "aligns", you mean "passes and aligns", correct? > >Considering that ADMDs with end users (Read: non-transactional) will >likely only ever deploy "p=monitor" DMARC records, this proposal will >will maintain compatibility with existing DMARC deployments. Since >I'm asking for new parameters to be adoped and defined, I'd suggest >that "p1=" and "p2=" parameters can appear in any order and will take >precedent over a "p=" parameter. A DKIM DNS record would then look >something like this > > % dig +short TXT _dmarc.example.com. > "v=DMARC1\; p=monitor\;p2=quarantine\; >rua=mailto:[email protected]"; > >It would appear this way in a zone file: > > ; DMARC record for the domain example.com > _dmarc IN TXT ( "v=DMARC1; p=monitor; p2=quarantine;" > "rua=mailto:[email protected]"; ) > >This change will require DKIM administrators to think about which >policy they want applied, and will allow for a more flexible >deployment overall. > >Lastly, I know that DMARC is not intended to be tied to SPF and DKIM >directly, and suggest that "p1" be a validation of the envelope, and >"p2" be validation of the body. This would then allow "p=" to be >defined as a combination of "p1" and "p2", or perhaps a forward >looking "p*=" that would include a "p3=" if such a concept were to be >created or exist. > >One idea for a "p3=" would be messages that are determined to come >from a whitelisted mailing list. Considering that each installation >maintains their own lists of mailing list outbound IP (google groups, >etc) it may be beneficial for an ADMD to tell the receiving MTA how to >treat that message outside of standard handling. > >Thank you in advance for your constructive feedback. > We discussed this internally before the DMARC spec became public. If any particular technology DMARC supports can have either a "pass+align" or "fail" result, then the cross product of DKIM and SPF means you have four possibilities. That's now p= through p3=. Now suppose we adopted another technology like TLS; now it's p= through p7=. Obviously this won't scale. Is the complexity this adds worth the use cases it's protecting? -MSK > _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
