Kurt Roeckx wrote:
On Mon, Apr 14, 2014 at 12:42:25AM -0700, Murray S. Kucherawy wrote:
On Sat, Apr 12, 2014 at 8:10 AM, Kurt Roeckx <[email protected]> wrote:
2. The spec is clear about how it works and what the implications are.
The
issue with mailing lists is well-documented.
I don't agree with this.
If you have any specific suggestions for how it can be improved, now would
be a good time to make them.
I thought I made my comments about this in the past, but I can't
actually find them. Some of them are:
- It does not describe how it (ab)uses existing technology and
breaks existing things. It's not clear what the effects of the
alignment is.
- It does not say anything about how participating mailinglists
should behave
- It's not clear in how reports should look like for messages that
don't pass. It would help that there were examples in it.
What would also help is:
- Implementations that actually follow the spec. So far I have
received 0 report mails that follow the specification.
And a definitive statement as to whether or not Yahoo's implementation
recognizes Original-Authentication-Results - which would represent a
low-impact way to interoperate with DMARC.
Kind of trying to decide whether to invest time and energy in patching
our Sympa installation to generate OAR headers - but so far, the only
folks who claim to support it are Google - and I've received multiple
anecdotal statements that "nobody has implemented it."
The dmarc.org faq recommends: "Add an Original Authentication Results
<http://tools.ietf.org/html/draft-kucherawy-original-authres-00> (OAR)
header to indicate that the list operator has performed authentication
checks on the submitted message and share the results. " but a few days
ago this was added: "*This is not a short term solution.* Assumes a
mechanism to establish trust between the list operator and the receiver.
No such mechanism is known to be in use for this purpose at this time.
Without such a mechanism, bad actors could simply add faked OAR headers
to their messages to circumvent such measures. OAR was only described as
a draft document, which expired in 2012. No receivers implementing DMARC
are currently known to make use of OAR from external sources. "
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
