On 05/01/2014 10:11 PM, Dave Crocker wrote:
On 5/1/2014 2:54 PM, Terry Zink wrote:
I remember reading somewhere about a year ago (can’t remember where, but
it was on a mailing list) that Gmail overrides the DMARC reject policy
and instead treats it as quarantine.
This provides a nice example of why "overrides" is probably not the
proper term.
Receivers have complex decision engines and take in all sorts of
information they use to formulate handling decisions.
A remote agency, such as a domain owner, cannot "dictate" a receiver's
actions. That is, it cannot assert anything that should reasonably be
called "policy", in terms of receiver actions. It of course can state
its desires -- which is what DMARC enables -- but that's quite different
from policy.
What's been described for gmail is that it takes guidance from the
published DMARC record and then formulates is /own/ policy.
In reality, that's what every receiver does. Always.
So gmail is not 'overriding' DMARC policy, it is merely choosing a
policy that factors in domain owner desire a bit differently than the
domain owner has requested.
This is more than semantic quibbling. It goes to an essential reality
about the tentative nature of publishing "policy" information.
+1
It seems that much of the confusion about 'DMARC policy' is due to the
fact that DMARC conflates the concepts of 'author domain signing policy'
[1] and the concept of 'requested receiver action policy' [2]; the two
are presented as one policy (DMARC p=). The result is: sky high
expectations on one side and a (growing?) set of combinations of
requested DMARC p= policies + applied receiver disposition policies.
Examples that were mentioned on this list (apart from the combinations
described in par. 5.2 of [3]) are:
p=reject, disposition quarantine (Gmail)
p=quarantine, disposition reject
It will be interesting to see if/when receivers will start implementing
the combination of 'p=none, disposition quarantine', or 'p=none,
disposition reject', as this will definitely have its impact on the use
of the reporting options in DMARC.
/rolf
[1] This is the general concept of author domain signing policy, which
is not equivalent to what we know as 'ADSP'.
[2] This is the concept of the message disposition policy, that is
requested by the author domain owner, to be applied by the receiver module.
[3] https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
