On Thu, Feb 27, 2014 at 3:33 AM, J. Gomez <[email protected]> wrote:
> Is it true that if you reject incoming email which fails DMARC validation > and whose sender's policy is REJECT, then you are in for a world of hurt? > Yes, it is true. Therefore, DMARC'S p=reject is not something you can > trust, nor follow. Period. There is no clothing that puppet that is going > to change this truth about DMARC > Sure that's true, if one deals in absolutes. I had thought the email community had learned many years ago that very little in the way of this sort of work is deterministic; indeed there is ample evidence to the contrary. Perhaps more specifically, we learned (or so I thought) during the development of SPF and ADSP that it is impossible to make policy statements that are absolute, because email is a complex beast whose myriad aspects cannot be completely accounted for with simple policy statements. Nobody has ever sold DMARC as a fire-and-forget silver bullet. I get that this is the kind of thing the world would really like, and it appears that this is how you're reading it. I'm sorry if you feel you've been misled, but I also submit that thinking about email security in such terms is rather antiquated. If indeed it's the word "policy" that is causing you so much friction, it would seem you have ignored Section 4 of the current draft. Nevertheless, I am sure we would welcome your constructive suggestion about how better to describe that part of the protocol. I trust, however, that you are equally hostile toward SPF's "-all" capability, given what the "P" in "SPF" represents? It's unfortunate that the Proposed Standard version of the SPF RFC has already been approved, if so. > It is the DMARC specification that chose to call it "policy", not > "recommendation". And policy is a policy, not a suggestion. Twisting words > to fit ex-post facto scenarios/realities is not funny. > To reiterate: It has been understood for some time that no actor can do anything other than make a recommendation or a request no matter what one calls it. In fact the current version of the DMARC base draft has language in this area that's already been softened to indicate that it is only a request or recommendation, even though it is called a policy (again, Section 4). "Policy" has essentially become a term of art. Perhaps you can spend your whole working day, day after day, fine tuning > your local DMARC processing secret-sauce. Good for you. Other people do not > have that luxury. > Nobody is forcing DMARC down their throat (or yours) either. -MSK
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
