On 3/30/2013 1:40 PM, John R Levine wrote:
a) Implement p=reject by discarding mail rather than SMTP rejects.
That's what we did in ADSP. You still run the risk of losing mail
your users want, but that's between you and them, and it's inherent
in any scheme like this.
I think this is a good idea, but it does open the door for even more
ambiguity in how receivers implement DMARC. Perhaps it would make sense
for a subsequent revision of the DMARC spec to include a policy of 'drop'
in addition to the existing 'reject' policy.
Please, no. This is a quality of implementation issue, not a policy issue.
DMARC p=reject means the same thing as ADSP discardable, the sender is
so worried about phishing that it doesn't want you to deliver the mail
if there's any doubt about its authenticity, even though that may mean
losing real mail your users want.
Did I miss this or am I interpreting something incorrectly? Has this
aspect of DMARC actually changed since last summer? If so, great and I
am sorry to all on list that I obviously missed that thread.
Specifically, has the following case been decided as the currently
understood correct behavior for DMARC?
Case of SPF "v=spf1 -all"
1) A domain owner publishes a "v=spf1 -all" DNS TXT RR for their domain
(indicating that their domain should absolutely never send email).
2) Then an MTA sender purports that the domain is sending messages
(because the sender issues a message envelope MAIL FROM: header claiming
to be the domain name claiming not to be a sender).
3) The receiver then presumes it to be 100% spam (at least apparently as
far as the domain holder is concerned) and will not deliver the message
to the RCPT TO: - even when the DMARC p=reject is set.
Again, if yes, fantastic. Because it is entirely reasonable to believe
if there was ever a time to trust what a domain holder says, it is when
they say "drop all messages from this domain, because if you ever do get
messages from this domain while our published SPF record for this domain
reflects 'v=spf1 -all', those messages are 100% bogus and should never
get delivered to their target RCPT TO recipients.".
After all, can you think of a case where a uce sender/spammer would ever
insist on having 100% of their messages dropped?
Arguably, perhaps a uce sender/spammer could attempt to use the domain
name in a dictionary attack on another receiver in an attempt to ding
the reputation of the domain, but then respecting what the publisher of
the domain name has said in their "v=spf1 -all" SPF record, the receiver
response could always be something like a "550 No such user" to each
RCPT TO: (even if there was such a user, which would then limit the
effectiveness [to zero] of such an attack as regards the gaining of data
on email account addresses for the target receiving domain, which is
generally the point of most dictionary attacks I think).
Alan
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
