>[Snip/>] That means identifying such traffic falls to the > realm of heuristics, and I don't believe an authentication protocol (or a > policy protocol based om authentication) should be predicated even in part > on a heuristic. Moreover, once the heuristics are either published or > determined subversively, they can be exploited. > >[snip] > >> >>Therefore, DMARC is only as robust as the exception process created for >>handling mailing lists. > > or the absence of such a process. >
Murray, I've been doing more reading in order to fully appreciate your perspective. I think the DMARC spec assumes that I understand not only [EMAIL-ARCH] RFC5598 but also David's understanding of using Mail streams to identify email. (see slide 7 here http://bbiw.net/presentations/DKIM%20Trust%20Truth.pdf ) NOTE: For the next section applies to DKIM only (not DMARC). The following is an adapted version of slide 7 of David's presentation. In this slide he describes how mail streams correspond with a DKIM d= parameter, and should have a subdomain for each of these different traffic types: - Corporate - Transactions (purchase order, order confirmation...) - Proposals - Marketing mass mailings - Customer Support This will allow different reputations to develop under different labels, though many ADMDs may not need this granularity of reputation isolation. For example: - corp.example.com - transact.example.com - bulk.example.com - free.example.com - paid.example.com - uk.example.com - faculty.example.edu - student.example.edu /End DKIM-only commentary *Question 1* Would it be correct to say that DMARC only attempts to authenticate a SUBSET of those streams previously mentioned? Some of those streams are "Transactional" by nature. *Question 2* Could it be better to replace the phrase "transactional email", with a more descriptive word describing that we want a mail stream that sends direct to end user mailboxes? Or at least can we put in the RFC some wording that says the current form of DMARC doesn't work well with RFC5998.Resender, MailingList, or Gateway recipients? Question 3 Suppose I'm a DMARC sender sending to a DMARC-enabled recipient. Is there any issue with me using the current draft of to authenticate " bulk.example.com" with no DMARC policy for my end user domain of " example.com"? I say this because I can't (or won't) change my user email addresses to "corp.example.com"? In other words, how do receivers handle the reputation of a DKIM policy where "d= example.com" versus my DMARC policy where "d=bulk.example.com"? If one of those is marked as spammy, how does that affect other traffic? Please elaborate as much as possible *Question 4* If understanding the notion of mail streams are required for DMARC, can we add that to [EMAIL-ARCH] or to an appropriate section of the draft? -Chris Lamont Mankowski
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
