Ill respond to each point in a separate thread so it can easily be seen in the archives.
Murray wrote "We discussed this internally before the DMARC spec became public. If any particular technology DMARC supports can have either a "pass+align" or "fail" result, then the cross product of DKIM and SPF means you have four possibilities. That's now p= through p3=. Now suppose we adopted another technology like TLS; now it's p= through p7=. Obviously this won't scale. Is the complexity this adds worth the use cases it's protecting?" .......... Chris Lamont Mankowski wrote: I think a longer term cross product would be better viewed in terms of The abstraction WHAT is being validated. Is the authentication technology "Active" or "Passive" in terms of DMARC evaluation result. I think there are already ambiguities that complicate things for me. This point is all about what email technologies (present and future) are in scope and out of scope for DMARC evaluation. Also how does DMARC figure that out. Instead of explicitly listing p1... to p7 as you describe, let's abstract the common feature. Similar to how the OSI has layers to a network stack, there are levels of authentication integrity and privacy are layered: Keeping with the idea that DMARC is an abstraction we have: 1. Several technologies that authenticate from one MTA to the next (SPF and TLS) that focus on the message envelope. AKA p1= 2. Several technologies that bind the message body (or from field) to the sender (DKIM, SMIME,PGP ) AKA p2= 3. Several technologies that ensure no modification to the message (SMIME, PGP, DKIM) 4. Several technologies that encrypt the payload from one MTA to the next (SMIME, PGP, not DKIM) The DMARC spec says something to the effect of: if SPF records can't be found then DMARC policy won't apply. But what about a domain that doesn't have ADSP and also signs the messages with DKIM? I think it would be helpful to catalog and classify existing technology and deployments into two categories 1. Active: meaning the policy and senders support for a technology can be discovered without receiving an email. 2. Passive; meaning the senders support for a technology can be discovered only by receiving an email. (PGP, SMime, TLS Auth, DKIM without ADSP) It would then be helpful to describe in the DMARC spec the disposition assumptions that should be made in each situation. (what are they) For example, should DMARC treat DKIM signed messages differently if ADSP exists versus if it is missing? I'm pretty sure this is in the archives but not in the forward looking context of "active" vs "passive". I think such a construct (p1=) with examples and definitions of active vs passive models will ensure a robust DMARC implementation across 3rd parties. Granted right now in DMARC we are only talking about p1= and p2= I want to discuss p3= and p4= at some point in the future. Sent via BlackBerry from T-Mobile _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
