On 02/27/2014 07:33 PM, J. Gomez wrote:
On Tuesday, February 25, 2014 8:34 PM [GMT+1=CET], Tim Draegen wrote:
You guys are accumulating a bit of history of not really talking
about DMARC, but instead asserting random things that aren't true,
and then disappearing when asked to do some homework.
Is it true that if you reject incoming email which fails DMARC validation and
whose sender's policy is REJECT, then you are in for a world of hurt? Yes, it
is true.
No, it's false:
* It's hyperbolic; there is likely to be some difficulty, not likely
to be "a world of hurt".
* Whether or not following the sender's policy for any specific DMARC
failure is going to create one of those difficulties will vary
depending upon a number of independent variables, most notably
including whether the Domain Owner has their ducks in a row and
whether the message has been forwarded in a way that breaks DKIM.
Therefore, DMARC'S p=reject is not something you can trust, nor follow. Period.
There is no clothing that puppet that is going to change this truth about DMARC
Also false.
You are attempting to characterise DMARC use by a receiver as an
all-or-nothing proposition and/or as something which receivers would
benefit from following blindly. This is simply not true. It's not what
DMARC was designed to do. It's not what any sensible receiver would try
to do.
You are viewing this from the same unworkable viewpoint which led to the
failures of SPF -all, DomainKeys o=- and ADSP dkim=discardable. DMARC
has succeeded in large part because it has left this unworkable
viewpoint behind. The sooner you let go of the errors of the past, the
sooner you'll be able to make good use of DMARC.
You can feed a DMARC result of fail plus p=reject as score input into some
system to apply some locally crafted algorithms to determine the probability of
spamminess/phising,
This is not a good idea. For a given 5322.From-domain and
source-IP-address combination, the DMARC result should either be
followed or ignored. Probabilistic approaches are a very poor fit.
...
It is the DMARC specification that chose to call it "policy", not
"recommendation". And policy is a policy, not a suggestion. Twisting words to fit
ex-post facto scenarios/realities is not funny.
OK, this is perhaps the core of your misunderstanding. That a Domain
Owner expresses a policy which a receiver elects to ignore does not mean
that it's not a policy, merely that it's not binding upon the receiver.
One party's policy _*is*_ the other party's recommendation, suggestion
or request. This is not a contradiction, nor is it ex post facto
twisting; this is the plain English meaning of the word.
If the meaning of the word policy is all that's been bothering you, then
perhaps you are now in a position to reconsider your view?
- Roland
--
Roland Turner | Director, Labs
TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693
Mobile: +65 96700022 | Skype: roland.turner
[email protected] | http://www.trustsphere.com/
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
