Michael Jack Assels writes: > As I read it, that means AOL and Yahoo are taking the position that > DMARC's p=reject is The Right Thing To Do, while accepting that it's > going to give wrong answers for indirect mail flows, and that it's up > to MLM developers (and other producers of indirect flows) to deal with > it.
First, I don't think that interpretation is tenable, because their explanations to us are along the lines of "we know that we're a little out of line, but we have no choice." Second, the relevant producers of indirect mail flows are not the MLMs. They generally produce a direct mail flow, albeit unaligned. It's the mailbox provider's own users who produce indirect mail flows, by posting to the mailing lists. > > No, there is valuable information in the policy. As far as I can see, > > the semantics of "p=reject" are > > > > We have a serious spoofing problem. It is so serious compared to > > the potential damage due to rejecting legitimate messages that we > > accept all responsibility for nondelivery and collateral damage if > > you choose to reject. > > I can accept that that may be what p=reject means, but I can't take > seriously the idea that domain owners with p=reject really do take > all responsibility for nondelivery of legitimate messages. When > one of my users bangs on my door demanding to know why her message > message wasn't delivered, can I really refer her to a giant ESP for > an explanation? I don't think so. No, of course you can't, because they'll tell her that's not what they intended, and that it wouldn't be a problem if the third party behaved well. However, you can tell her that the giant provider told the receiver not to accept her messages. That's what DMARC actually says, and that's why I phrase it "accept reponsibility". > I'd be happier to interpret "p=reject" as meaning > > Spoofing is a serious problem. With a very high degree of certainty, > we assert that the message you're handling is not legitimate direct > mail. Please take this into account when deciding whether to accept > or reject the message. There's only one problem with that interpretation, and that is that you don't need DMARC p=reject to make it: it's a logical deduction from the mere fact of lack of From alignment. > For DMARC participants, legitimacy and illegitimacy are equally > easy to prove for transactional mail flows, and equally hard to > prove for indirect flows. That's actually false. There are many indirect flows that don't cause signatures to be invalidated, such as Unix-style .forwards and GNU Mailman mailing lists configured with no subject tag, no header, and no footer. And that's where the shoe pinches for mailing lists: the absolutist advocates of sender policy blame the victim and say we should stop our traditional value-added practices so that posters from p=reject domains can have their posts delivered. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
