J. Gomez suggests: > > > That would force DMARC-compliant Mediators to reject (or accept > > > but not resend) incoming email from p=reject domains, > > > irrespective of whether such mail passes or not the initial > > > incoming DMARC checks.
Something about having mediators (ie, non-MTAs) implement this check was bothering me. I realized that the nagging thought was the *Mediator* doesn't have to do it. Variation A: The *outgoing MTA* can do this check; it has the same information (the "From" field, the DKIM signature, and the DNS) that the mediator does. This outgoing check is just a variation on the spamfighting theme of "if pretty much anybody can send from your system, you have to check outgoing mail as well as incoming mail." Having the outgoing MTA do the check has the following advantages: - MTAs already have to implement DMARC logic; Mediators would not have to. - Where the outgoing MTA is also the incoming MTA (or they can communicate), the DMARC policy can be cached, possibly avoiding a DNS check. - When the outgoing MTA rejects based on next-hop DMARC rejection, it can inform the Mediator of the reason for rejection (which SMTP servers often fail to provide to the SMTP client). This is actually important to MLMs, at least, which often count bounces and disable or cancel subscriptions based on the result. Disadvantages: - Naive MLMs (and perhaps other Mediators) can generate many copies of a single message, and present them individually to the MTA. It would be better to do the detection at addressee generation time in the MLM. Note: this may not be as expensive as it seems at first glance, as given the Message-Id and the addressee, the result is known without doing any further checks. Many MTAs do parse out the Message-Id, for reporting in logs if nothing else. I'm not a big fan of rejecting mail in this way, but it also led to the thought that it would be nice to be able to avoid the somewhat finicky DNS checks in Mediators that want to be DMARC-aware. Thus variation B. Variation B: When the incoming MTA knows the local recipient is a Mediator, it could perform the policy lookup even for From-aligned messages, and communicate that (perhaps in the Authorization-Results field). I doubt that this could be more efficient, but again the implementation would be done in MTAs, which have to do it anyway. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
