On Wed, 2018-07-11 at 12:22 +0100, Ivan Kovachev via dmarc-discuss wrote:
> The problem is that there are many other email encryption services out
> there and if the sender is using any of them then their recipients must
> also authorize them in their SPF records. This means that if any the
> sender or recipient is in DMARC reject when replying to such emails their
> emails will be rejected.
> Has anyone come across this problem before and what have you done to
> solved it? Is using subdomains (in DMARC none policy) for this email
> communication the only way to go for now?
Any service which spoofs email isn't going to play well with an active
If you require your clients to reduce their DMARC security posture (by
using no policy sub-domains etc.) in order to securely communicate with
you, I think you may loose that battle.
Your options are probably either to
a) relax / ignore email authentications signals from email originating at
b) move away from the service model and use product that doesn't need to
spoof emails in order to encrypt them, e.g. whatever Symantec call their
PGP gateway now or
c) implement S/MIME with an in-house or hosted PKI solution.
dmarc-discuss mailing list
NOTE: Participating in this list means you agree to the DMARC Note Well terms