On Jun 5, 2014, at 5:19 PM, Terry Zink via dmarc-discuss
<[email protected]> wrote:
>> Doesn’t this come back to the whitelist idea? For the green bar SSL certs
>> (Extended
>> Validation), the certs have a bunch of information encoded in it, and the
>> browsers have a
>> list of CA’s that they trust. AFAIK, the only way to do that for email is
>> through DKIM but
>> you wouldn’t highlight all DKIM-signed email, only DKIM-signed email that
>> you trust which
>> is compared against a whitelist.
>
>> Yes, definitely. See RFC 5518 for one approach.
>
> This makes sense.
>
> We were talking about whitelists and DMARC a couple of weeks ago wherein if a
> message fails DMARC yet comes from a certain domain/IP, do not enforce DMARC.
> This sounds just like VBR. From Section 3 of RFC 5518
> (http://www.ietf.org/rfc/rfc5518.txt):
>
> ====
> 3. Validation Process
>
> A message receiver uses VBR to determine certification status by
> following these steps:
>
> <snip>
>
> 3. Obtains the name of a vouching service that it trusts, either
> from among the set supplied by the sender or from a locally
> defined set of preferred vouching services
> ====
>
> Presumably, if VBR is already an RFC, why couldn't DMARC integrate with it?
> As a large receiver I would never trust a set supplied by the sender, but if
> I had a handful of locally defined vouching services, then I could use that
> to bypass a DMARC enforcement in the event that the message passes SPF and
> DKIM, yet fails alignment.
Dear Terry,
By carefully reviewing TPA-Label, you'll see it supports the VBR approach
(which requires affixing VBR information) and an approach where the domain can
offer the information directly. VBR assumes the domain being vouched for is
relatively unknown. Clearly, that is not the case with Yahoo or AOL. The
difference is fairly basic. TPA-Label simply requires a third-party domain to
be validated and found to have been listed. This listing can be done by the
DMARC domain directly, or another domain if they so wish. This will not have
an impact on normal message handling as VBR will. In essence, Yahoo or AOL
become the vouching domains with the TPA-Label approach. The benefit is this
makes no changes to the messages themselves.
Regards,
Douglas Otis
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
