On 09 May 2015 20:43:34 -0000, "John Levine" <[email protected]> wrote:
> >Isn't the ideal objective of DMARC to be so reliable that *everybody* > >uses it with p=reject. > > No. Most domains aren't subject to significant phishing attacks, so > for them it's useful for incoming mail from Paypal et al, but not for > outgoing mail. I take it that a *significant* phishing attack is one where the 5322.From domain is involved with money, and the hook is a URL at a free web hosting site where the phisherpholk will harvest credentials so they can get some of that money? If that's the case, then perhaps you're right. Our little university domain gets plenty of annoying but insignificant phishing attacks, with the perps looking for credentials for ordinary student/faculty accounts that they can use to launch other, sometimes significant, phishing attacks (or just send a lot of spam). However, if the whole point of p=reject is to protect a relatively small number of sensitive domains like Paypal, iTunes, et al., then maybe it would be helpful simply to say so in a forthcoming standards track RFC, perhaps with words like A domain SHOULD NOT publish a p=reject policy if it will emit mail intended to be mediated with modifications by another domain unless the mediating domain is exempted from the policy by [fill in the eventually approved mechanism(s)]. That would at least nudge errant ESPs away from their misguided ways, and the rest of us can honor p=reject without losing any sleep over it. > > At that point, 5322.From addresses will all > > be munged. Why not skip the complexity and start munging them all now? > > Ewwww. FWIW, I did write that I wasn't keen on that approach. :-) MJA _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
