On Saturday, January 25, 2014 5:05 PM [GMT+1=CET], John Sweet wrote: > On Jan 25, 2014, at 6:49 AM, "J. Gomez" <[email protected]> wrote: > > And what about this additional bullet in that section of the FAQ: > > > > * Check plain-SPF before checking DMARC, and if SPF-result is pass > > then skip DMARC processing. > > Wasn't the case of spoofing via (envelope domain != from header > domain), which passes SPF, one of the problems DMARC was specifically > designed to address? > > Am I missing something?
Yes, you are missing the point that in order to avoid DMARC breaking mailing lists, the recommendation should be not to use DMARC if you care about your users subscribing to mailing lists. DMARC is designed so that Facebook|Paypal|Ebay can autenticate with Gmail|Hotmail|Yahoo, not for the general small-domain senders of the Internet to use, and therefore not for the small mailbox providers of the Internet to check[*]. I still think it is better not to process DMARC at all than to obey DMARC's p=reject policy and risk breaking mailing lists in the process. To process DMARC but ending the processing with ignoring DMARC's p=reject policy, if the senders has published it, seems to me a total waste of time, computers resources and human trust. So why to waste?, just skip it. [*] That is because, _in_practice_, DMARC needs a non trivial amount of work on the receiver's end to mount and maintain current a whitelisting system to make DMARC effectively work as originally intended. _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
