On 03/07/2014 04:54 AM, John Coutts wrote:
I happen to agree with J. Gomez. When I publish a policy, I fully expect it to be adhered to.
I hereby publish my policy that John Coutts immediately give me all of his money (in return for reading this pearl of wisdom, if you feel the need for some sort of exchange). By John's own reasoning, I am within my rights to fully expect that he will adhere to this and make payment to me immediately.
I expected the same when SPF was first introduced (I published -all),
This inaccurate view was reasonable at the time. A decade on it should be pretty obvious that receivers aren't generally willing to allow senders to control receivers' security systems. (See also: DomainKeys o=- and ADSP dkim=discardable. We've been playing this tune for a while.)
but SPF lacked a feedback mechanism to resolve issues,
This is not actually true. A feedback mechanism can be constructed with SPF's exists: mechanism, however it's a difficult thing to do. Astonishingly, it still works today for a large fraction of mailboxes. The problem isn't the lack of a feedback mechanism, it's that email goes places that break SPF.
DMARC's success stems more from the fact that it was developed by the world's most heavily spoofed domain owner working directly with one of the world's largest receivers to hammer out a workable mechanism, rather than by the usual open debate process. The latter appears to be a good way to deal with building loosely coupled systems but, so far, a terrible way to thwart criminals.
and people lost confidence in it. DMARC has a feedback mechanism, so there is no reason to ignore published policy. The responsibility is on me as a sender to use that policy properly, and it is the responsibility of the receiver to adhere to the published policy while doing their best to report and resolve any issues.
Different receivers have different relationships with their users. Some are very concerned about churn or other consequences of message loss, so are very careful about adopting security measures that risk disrupting legitimate communication, others are willing to break a few eggs. Approaches will therefore differ.
- Roland -- Roland Turner | Director, Labs TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693 Mobile: +65 96700022 | Skype: roland.turner [email protected] | http://www.trustsphere.com/ _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
