On Thursday, April 17, 2014 5:44 PM, Joseph Humphreys wrote: > At one time I suggested adding a feature to list domains that could > be considered "in alignment" with yours. So if a domain owner wanted > to authorize an email service provider, they could just add something > to their DMARC policy to specify the domain the ESP uses for SPF/MailFrom > and/or DKIM signing. I am still curious what's wrong with this proposal. > It seems to me to cover Vlatko Salaj's use case, and would certainly be > easier to implement than arranging to share a DKIM key.
finally, somebody that sees things from perspective other than a big sender. also, plz notice, working with DKIM 3rd party support is not only pretty messy, but usually not a supported option. so, DMARC badly needs its own solution for this alignment problem. On Thursday, April 17, 2014 5:42 PM, MH Michael Hammer (5304) wrote: > Third party services such as greeting cards are actually a much different > use case than mailing lists. if, and only if, it's built in DMARC-compatible way. and this isn't all that natural or intuitive. it seems DMARC wants to change everything to have it compatible with itself. i can understand how this benefits big players. it's just pity big players don't understand how this doesn't work for small players, aka 90% of the net. >> 2. alignment OFF, in which case domain owner specifies they have no benefit >> from DMARC alignment checks, but do want other checks performed, such >> as AND-logic mechanism evaluation, for example. > If I were evil I could consistently defeat this every day of the week > without much effort. domain owner publishing alignment-OFF policy wants such policy. who cares if anyone can beat it? it's their decision and they r ready to suffer consequences for whatever reason. at least they have an option. maybe they just want to process SPF and DKIM in a standard way, as defined by DMARC. without DMARC "reject" rule, they lose that. >> 3. alignment domain-list value to include in alignment check: list of domains >> the domain owner wants to have included in DMARC alignment check, >> complementing from: header domain > This doesn't scale. it scales the same way it scales for SPF. i see no problem there. also, scaling isn't rly an issue for big ESP. they will just use alignment-ON and force everyone to adapt. just like yahoo did recently. alignment domain-list is of great value to small domains. i'm quite sure this would be one of the most used tags in DMARC policy, if included in spec. >> actually, Sender-ID isn't all that bad at all. it was way ahead of its time. > Microsoft dropped support for Sender-ID in favor of SPF. merely cause it's not widely adopted. not because it's completely broken. > When I sent them crafted emails showing that I could consistently get > a neutral under PRA checking for ANY From domain (abusing the sender field) > they agreed that this was a problem. neutral result isn't a pass, under current DMARC evaluation rules. so, it's not the same situation as with plain Sender-ID check. > Could you identify any specific instances where public-suffix has been > a significant (or non-significant) problem in the wild? yes, i can. almost any new free domain service will have issues with this, until such public-suffix picks it up... which is yet another nightmare of infrastructure support. as i said, we r opening a can of worms here, especially where ICANN is moving with top-lvl domains. i saw it happening with Symantec's SafeWeb as well as all other URL checking services developed in recent years. it's a mess and needs high maintenance. -- Vlatko Salaj aka goodone http://goodone.tk _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
