On May 1, 2014, at 1:11 PM, Dave Crocker <[email protected]> wrote: > On 5/1/2014 2:54 PM, Terry Zink wrote: >> I remember reading somewhere about a year ago (can’t remember where, but >> it was on a mailing list) that Gmail overrides the DMARC reject policy >> and instead treats it as quarantine. > > This provides a nice example of why "overrides" is probably not the > proper term. > > Receivers have complex decision engines and take in all sorts of > information they use to formulate handling decisions. > > A remote agency, such as a domain owner, cannot "dictate" a receiver's > actions. That is, it cannot assert anything that should reasonably be > called "policy", in terms of receiver actions. It of course can state > its desires -- which is what DMARC enables -- but that's quite different > from policy.
Dear Dave and Rolf, DMARC is a mechanism that allows Author Domains a means to request clear and concise action. Some might describe that as a request to apply those actions "as policy" against their domain. When a requested action is not taken, it lessens protection. It is neither mailing-lists nor recipients disrupting community forums and other third-party services. It is clearly Yahoo! and now others. If the DMARC specification is unclear, it should be made crystal clear. It is NEVER okay to request a REJECT policy against normal user accounts. It is not reasonable to assume receivers are able to apply uniform mailing-list heuristics without input necessary to prevent the disruption of legitimate and beneficial communication. Rewriting "From" header fields is wrong and negates meaningful anti-spoofing by creating confusion about actual authors. Clear and concise action avoids exceptions based on heuristics that are always easily gamed. Adding cryptographic tokens of any sort is also easily replayed. A mitigation strategy should be made available by Author domains to reduce possible damage their policy request might reasonably cause. There is a straight forward, low latency, and highly scalable strategy that has far less overhead than either DKIM or SPF. This strategy can even permit uniform treatment of both user and transactional accounts. This strategy expects Author Domains to offer necessary input which does not always track with any specific message. Nor will this strategy increase average message size. Nor will it require mailing-lists to change processing. TPA is that good. We offer similar schemes supporting several very large ISPs. Nevertheless, TPA depends on Author Domains providing necessary information they should already have. As email extends into China, typical users have compromised systems. In this environment, DMARC feedback may prove extremely useful at establishing user notification where TPA should be able to significantly lower the noise. There will be a very steep learning curve ahead in this region. Regards, Douglas Otis _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
