I'm the full time Postmaster, Senior Technical Engineer and .Net Developer for National Financial Partners (ticker: NFP). We're a mid cap with 5,000 email accounts and 210 sending domains. Many of your financial institutions likely worked directly with me or with our staff in the past few years. (I know this because I cross checked our TLS phone escalation directory against the DMARC Nascar-style logo sheet on the website)
We also act as a 3rd party policy gateway and listserv for an additional 3,000 finance affiliates who use our security or audit services. This includes about 200 sending domains. DMARC was designed behind closed doors with hand-picked partners before being shared with the public (which is a good thing to some extent). NFP (and with sufficient persuasion our partners) can offer the DMARC initiative the following: 1. Access to several real world deployments that aren't as large as your major players (LinkedIn, FB, or consumer banking partners) with relatively minor risk. 2. Constructive dialogue triaged through an intermediary (so you don't have 400 sending domains that need to get on the same page reducing list noise) 3. An engineering point of contact that isn't so abstracted from operations and helpdesk that the feedback is not in touch with the real world. 4. Some c# development and coding once things get more defined. Now that I've established what I can offer and where I'm coming from, I can definitely relate to the brand dilution and client and customer issues that come from phishing that the larger partners are seeing. For the larger partners, phishing is seen and received by many many people (likely even the CTO), however there are. "long tail" phishing schemes of lesser known names that have more implicit trust. People tell themselves: "who is going to phish Joes' Insurance, the one I do business with, a relatively unknown...". I have specific evidence that this has occurred on a number of occasions for lesser known brands . I'm sure every technical person on this list has been frustrated when they see a technical issue of significance need to "sell" it to get buy in.. but get resistance . This sales pitch could be to Change Control or to senior staff. I have great responsive management, but need to be ready to sell this to partners who we have a business interest in. TL;DR and long story short: I'm expressing my need and concern of the current DMARC spec to offer reporting with no disposition change. Perhaps with "p=none pct=0" as part of the record. I'm available to elaborate or compare notes off line or on list as appropriate with anyone who is interested. Reach me at my email here or [email protected] Sent via BlackBerry from T-Mobile -----Original Message----- From: Michael Adkins <[email protected]> Sender: [email protected]: Sat, 7 Jul 2012 16:46:21 To: Scott Kitterman<[email protected]>; [email protected]<[email protected]> Subject: Re: [dmarc-discuss] Clarification needed; Does p=none override -all and ADSP in all cases? > >Here's another use case to consider: > >A large financial institution has invested a lot of effort into >separating it's >human and transactional domains, deployed SPF, DKIM, and ADSP (on the >transactional domains) and is comfortable with it's situation. Now you >tell >them they should deploy DMARC. How do they evaluate DMARC and see what >the >impact of publishing DMARC reject policies would be without messing up >the >stuff they've already spent 5 years working on? The large financial institutions who participated in the DMARC effort did not express this concern. > >By the current definition, they can't. Why not? If you want to split >out >monitoring from take no policy action of any kind into two separate >things, >that's fine, but I really think you need a monitor policy that means >exactly >that and no more. > >Scott K > >_______________________________________________ >dmarc-discuss mailing list >[email protected] >http://www.dmarc.org/mailman/listinfo/dmarc-discuss > >NOTE: Participating in this list means you agree to the DMARC Note Well >terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
