On May 28, 2014, at 12:37 PM, John Levine <[email protected]> wrote: >> Its not clear to me that gmail.com needs to tell another service to trust >> the OAR from a given third party, the choice to trust that service could >> easily be up to the receiving service. > > Good point. That's why I keep saying that one or a few shared > DMARC-bypass whitelists would work a lot better than anything > per-sender. The set of senders where it makes sense to skip DMARC > checks for Yahoo or AOL or Gmail addresses are likely to be the same.
Doug, I read through the spec, and it is clear a lot of work went into it. I think I echo Brandon and John's above opinions. >From my PoV, there exists an immense pile of work to get through before the >draft under discussion becomes a solution. Aside from support, tooling, >getting senders to deploy accurately and getting receivers to perform >additional checks.. what is missing is the justification for the additional >work. DMARC is a tradeoff between keeping things as simple as possible (as unnecessary complexity acts as a giant barrier to adoption), building on existing technologies (as new code/libraries in the world of email means tacking on additional calendar years), and solving a problem that hurts enough to warrant doing anything at all. I don't believe TPA-Label hits the mark between "solving a big hurt" and "simple". IOW, it's too complicated for the amount of pain it would resolve. Just my opinion, take care, =- Tim _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
