Mason,
It's fair to say that there isn't yet a blanket consensus about the
[non-]use of p=(quarantine|reject) on correspondence domains (domains
used by individuals for one-to-one communication). However, if you are
not an expert (e.g. if email security is not your full-time occupation)
then you almost certainly do _*not*_ want to do so, despite the fact
that some pioneering experts are developing ways to do so in their
environments.
Yes:
* the FAQ isn't yet as clear on this as it could be
* various BCPs that are under development are not yet public
* a great deal of what is public is a little optimistic and/or not
clearly delineating the differences in appropriate practice for
smaller senders
welcome to the bleeding edge.
On 20/11/2012 11:31, Mason Schmitt wrote:
Like any business,
large or small, she also wants to protect her brand.
OK. What's the threat, in dollars? How much money did she provably lose
in the last year to spoofing?
p=(quarantine|reject) on correspondence domains exposes you to a
dilemma: if the "do nothing" side of the dilemma doesn't cost you
quantifiable business while the "turn on aggressive policies" side does,
then choosing the "do nothing" side is a no-brainer. There is no correct
answer, just a lesser of two evils.
If there are no provable losses, then p=none is the one that you want.
First, is it really justifiable to make a blanket statement that a
domain with human users should only use p=none?
If you don't have the experience, expertise and time to deal with the
consequences (it appears that you don't), then yes.
Or taking a longer view, is it possible for DMARC
reporting in conjunction with services that consume those reports to
actively help guide well intentioned senders to modify their
infrastructure to be DMARC compliant so that, in the future,
implementing a reject policy on a domain that has human users is a
feasible best practice?
There is no work in progress to make DMARC useful for correspondence
domains in the way that you describe, no. DMARC p=(quarantine|reject) is
a tool to help heavily spoofed Domain Owners co-operate with receivers
on dealing with a specific, very high priority and otherwise intractable
problem (that of correct-domain spoofing of high-value targets). It is
not designed for other uses, however the feedback provided by p=none is
interesting to many Domain Owners and is available as a handy side-effect.
Certainly updating Mailman, Yahoo Groups,
Google Groups, and other major mailing list implementations would go a
very long way to reducing this problem to a very minor one.
It is conceivable that you'll convince each of those organisations to
set aside pursuing their organisational objectives generally and the
thwarting of crime in particular to prioritise making a change in their
already very complicated environments in order to soften a relatively
minor problem that people who misconfigure their environments inflict
upon themselves, but your odds don't seem terribly good.
- Roland
--
Roland Turner | Director, Labs
TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693
Mobile: +65 96700022 | Skype: roland.turner
[email protected] | http://www.trustsphere.com/
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
