On 4/7/2014 11:46 AM, Barney Wolff wrote:
On the other hand, neither the DMARC spec nor implementations contemplate
coping with mailing lists, which makes it all but impossible for DMARC
ever to be used in practice to reject messages.
There is a large class of messages that naturally produce properly
"aligned" and authenticated messages in the recipient's mailbox.
(Just to be diligent: aligned mean the rfc5322.From field domain name
matches the domain name in either or both of the message's
rfc5321.MailFrom command -- for SPF validation -- or the DKIM d= value;
authenticated means that DKIM validates and/or SPF passes.)
Such messages are created and sent by an entity having control over the
domain's DNS records and the mail follows a simple transmission path.
Bulk marketing mail (legitimate or not) and transactional mail are
common examples.
For such scenarios, DMARC works well.
The problem is for more complicated scenarios it does not. Those more
complicated scenarios are legitimate and always have been. Mailing
lists are obviously a good example. Imposing DMARC into those scenarios
breaks DMARC.
A simple question is whether the benefit of DMARC is sufficient -- and
sufficiently clear -- to warrant such a dramatic reduction in the
flexibility of email use?
Note that DMARC restrictions apply to information that is typically not
visible to end users -- most modern MUAs do not display the From: field
address. Also lack of alignment between the From: field domain name and
either authentication field is not inherently an indication of bad actor
behavior. In other words, any current problem with alignment is -- at
best -- merely a current correlation, with many work-arounds for bad
actors to explore.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
