>> This isn't a minor nit-picking about wording. Using a label that has the >> semantic of >abuse, for an action that is entirely legitimate, continues to confuse >discussion about >actual abuse. > >Considering the domain under discussion is using DMARC with a p=reject policy, >we're left in >a situation where the domain owner is clearly stating that unauthorized use of >the domain is >disallowed. Because PayPal is using the domain anyway, that puts them into >the bucket of >"abuser", their practice is "spoofing", and "actual abuse" is a subjective >term.
No, we're seeing a situation where the DMARC record makes an incorrect and misleading assertion about the sender's actual policy. Paypal sent a real message about a genuine transaction authorized by a real user with a real account that he went through considerable effort to set up. There is nothing spoofed or abusive about it. Publishing a TXT record that conflicts with that doesn't change the reality, it just means that the TXT record is wrong. We had this same argument at great length with the SPF fanatics, who insisted that any usage of SMTP that couldn't be described by SPF -all was the fault of SMTP users rather than a limitation of SPF. Could we please not have it again now? R's, John _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
