On 7/8/2012 4:13 PM, Scott Kitterman wrote:
On Sunday, July 08, 2012 04:43:22 PM John Levine wrote:
1. Why a DMARC policy should override all other policy and the role of
"local policy".
This is a bad idea because it builds heisenbugs into the spec. All I
want to do is to collect stats so I publish p=none, but now I hear
that this means that some MTAs will interpret my SPF and DKIM
signatures differently. Blech. I'm also sure that no matter what
DMARC says, lots of people will do what I do, publish p=none to get
the stats, and continue to interpret SPF and DKIM in the usual way.
There is an element of urinating upwind here.
My suggestion would be to describe the process as three layers.
A. Do what you already do for SPF and DKIM. If this results in
rejecting mail (e.g., SPF -all) or whitelisting mail (e.g., DKIM
signature from a known friendly sender), you're done.
B. For all the rest of the mail, do the DMARC stuff. If the
policy says to quarantine or reject a message, you're done.
C. Apply existing secret sauce to filter the rest of the mail.
I don't think this is very different from what DMARC says to do now,
but it doesn't break people who implement DMARC partially or not at
all. To the argument that this might accept some mail that DMARC
would say to quarantine or reject, that's not a bug. At worst it means
that I have poor taste in whitelists, at best it means that I do
competent filtering of mail from mailing lists.
I think this makes a lot of sense. I think it's how this will likely work in
practice for most receivers anyway. Having the spec be aligned to reality is
an important aspect of the increased reliability in the email ecosystem that
DMARC is trying to foster.
Scott K
_______________________________________________
+1
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
