On 03/06/2014 07:23 AM, J. Gomez wrote:
We probably inhabit different universes.
This is conceivable :-)
In mine, SPF -all "just works" and, most importantly, it allows the
receiver to outsource onto the sender 100% of the blame arising from
any non-deliveries because of SPF -all failures; also, in my universe
DMARC has not "succeeded" -- not yet, at least.
So:
* The test of SPF -all's effectiveness is not whether it can be turned
on without doing damage but whether it contributes materially to
preventing spoofing. It doesn't; spoofers can and do trivially pass SPF.
* Few receivers have the luxury of being able to blame others for
disrupting legitimate email flows. If you are one of those who can
get away with this, then by all means implement DMARC as-is. If it
suddenly turns out that your users
For DMARC to be a viable option for receivers, it has to provide them
with a non-refutable answer/position for the cases when mail is not
delivered because of DMARC failures. If receivers are expected to
build a custom, fine-tuned, on-going maintenance-heavy local-only
system to deal with DMARC failure cases, because receivers cannot just
outsource onto senders the blame for DMARC failure cases, then most
receivers WILL NOT IMPLEMENT DMARC. My guess is many receivers will
not implement DMARC after having burned to much time and support costs
dealing with DMARC failure cases.
OK, this is perhaps the core of your misunderstanding. That a Domain
Owner expresses a policy which a receiver elects to ignore does not
mean that it's not a policy, merely that it's not binding upon the
receiver. One party's policy is the other party's recommendation,
suggestion or request.
One party's policy published for the consumption of the receivers, is a policy
expected to be treated as policy by the receivers, otherwise it would be the
first party's private-policy and not the first party's published-policy. If
what I publish as policy is to be regarded as a song, then why do I bother
publishing a policy instead of a song?
This is not a contradiction, nor is it ex post
facto twisting; this is the plain English meaning of the word.
Policy is policy. That someone opts to not follow it, makes it an ignored
policy, not a non-policy. Therefore, DMARC's policy of p=reject is best to be
ignored. Or, in other words, there is not such a thing as a workable policy of
REJECT in DMARC.
Regards,
J.Gomez
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
--
Roland Turner | Director, Labs
TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693
Mobile: +65 96700022 | Skype: roland.turner
[email protected] | http://www.trustsphere.com/
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
