> -----Original Message----- > From: Hector Santos [mailto:[email protected]] > Sent: Friday, May 15, 2015 2:04 PM > To: MH Michael Hammer (5304) > Cc: [email protected] > Subject: Re: [dmarc-ietf] Simple authorization offers reasonable control over > messaging resources > > On 5/15/2015 11:07 AM, MH Michael Hammer (5304) wrote: > > > > > This is one of the reasons I have held back from participating in the > discussions/attempts to come up with authorizations for unrelated 3rd > parties. Even recognizing the resistance from various quarters, 3rd parties > and intermediaries (which modify messages) taking responsibility for > messages they emit is ultimately the cleanest and most workable approach. > Yes it requires change on the part of some (I'm waiting for shouts of "GET > OFF MY VIRTUAL LAWN"). > > > > I noticed that with your ag.com, you only have an SPF -ALL record. No ADSP, > no DMARC. I also notice that you didn't sign your mail. So I don't know if > you > have a DKIM public key. >
Ag.com is not a domain I control - it is controlled by my corporate parent (enterprise) and used for enterprise mail. The website domains I'm responsible for have been publishing an SPF -all, DKIM sign all mail and publish a DMARC p=none. The SPF, DKIM and the equivalent of DMARC p=none through private channels (yes, I helped create DMARC) have been in place since 2007 and working quite nicely thank you. If you go back to the dkim-ops list archive you will find an email from me asserting that anyone should feel free to throw away email that failed to validate our (domains) DKIM signature or aligned SPF. The only thing I had to do when the DMARC spec was completed was publish a p=none record. > So basically, you decided not to have any assertions made on your ag.com > from a DKIM, Trust and Reputation, Policy standpoint. The odds are high that > if you are going to get spoofed, it will have to be sent from a different an > unauthorized IP address. > I can't decide policy for a domain I don't control. In this case I'm a user like any other. I have, of course, expressed my opinion. This is no different than if I subscribed to the list from Gmail or some other service provider. > With a SPF -ALL, it lowers the need for DMARC, ADSP. Thats another reason > why there is less urgency. > Most mailbox providers I'm aware of do not reject mail solely on the basis of an SPF -all failure. There are far too many incorrectly published/problematical records out there that they wish to take that risk. This is one of the reasons that DMARC was developed. > DMARC is really a helper for SPF softfail (~ALL) or neutral (?ALL) policies. You place too much emphasis on SPF. There is a reason that DMARC policy is only considered if both (aligned) SPF AND DKIM fail to validate. > > During the DKIM-WG, Microsoft did talk about using ADSP DISCARD with a > SPF SOFTFAIL. > Lots of things were talked about in the DKIM working group. That might be one reason it took so long for the group to get things done. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
