I've begun looking at adding DMARC support into our existing DKIM,
ADSP, ATPS, ASL framework. To explore all this, I converted our
public ADSP/ATPS/ASL Zone Record Creator web-based wizard to use DMARC
with the ATPS/ASL extensions at:
DMARC Policy Zone Record Generator and Test Simulator v3.0
http://www.winserver.com/public/wcdmarc
Testers are welcome to send comments, suggestions to me.
Off hand, I think the DMARC draft needs to be updated for two basic
fundamental parts:
1) Separate Policy Handling and Reporting. If I read the draft right,
reporting is mandatory. Reporting should not be mandatory to DMARC
receivers. Not all receivers will want to add this huge overhead
component just to support the most important part; the security policy
portion of the protocol. Reporting is bound to be ignored and the
DMARC draft should recognize this reality by not making essential nor
necessary.
2) To address the critical 3rd party Resigner concerns and policy
semantics, at a minimum, add a new "tps=" tag that says Third Party
Signers (tps) are allowed with/out an IETF registered authorization
mechanism. See the tps= proposal below for this.
With these two basic considerations, we gain lower barriers to
adoption, faster migration for all segments of the mail system that
for the most part has took the IETF opponents of the DKIM author
domain policy framework by surprise. It didn't surprise any of the
IETF proponents of this DKIM author domain framework, but we were on
the losing side of the 3rd party vs 1st party signer policy extremely
rough consensus debates.
This does not suggest that the YAHOOs will begin to allow 3rd party
signers, but when the proper protocol options available, which are not
there now, it opens the doors (and eyes) to the possibility to have a
smoother transition and integration. It creates the synergism to
address all parties in the integrated mail network.
About the "tps=" tag, a quick summary of the idea, this tag describes
a DMARC policy which allows 3rd party signers w/o authorization
depending on the value of "tps=":
missing --> fallback to 1st party DMARC only
tps= --> same as missing
tps=y --> any 3rd party allowed
tps=methods --> registered method(s) available by the domain.
Examples of registered methods:
tps=atps rfc6541 DKIM Authorized Third-Party Signatures
tps=vbr rfc5518 Vouch By Reference
tps=tpa Otis's TPA draft
with multiples allowed:
tps=vbr,atps,tpa
This says, the domain has records for each VBR, ATPS, and TPA method.
The receiver should use the first known negotiated method among the
list. If no method is known by the receiver, it falls back to missing
as the fail-safer approach. However, it can be overwritten by adding
"y" to the end of the methods.
I personally, would like to add additional "asl=" allowed signer list
tag since it will be more optimal for the majority of domains in the
market who are bot now interested in having many 3rd party signers,
but a short list of domains:
asl=domain-list comma delimited list of domains
But it may be asking for too much to get "asl=" into the total picture.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
