[dmarc-ietf] Improving feedback using additional status codes

Sat, 25 May 2019 12:49:55 -0700 

The genius of DMARC, as compared to DKIM and SPF alone, is the feedback 
component.   Unfortunately, sender authentication remains challenged by 
these issues:
        Limited deployment of DMARC feedback between senders and receivers.
                Significant levels of SPF and DKIM validation errors, on 
legitimate 
mail, even when indirect mail is not involved.  Handling false positives 
becomes a significant obstacle to implementation of Sender Authentication 
by receivers.
                When the sender has not implemented DMARC, the recipient has 
difficulty 
communicating with the sender about Sender Authentication problems.   
Finding a knowledgeable employee is difficult and time consuming, so it 
will rarely be attempted.  (And I have tried it.) 
 I propose two improvements to deal with this issue.  The first is to 
define another feedback mechanism using message reception status code.   
The second is intended to reduce DKIM verification errors, and will be 
posted later.
  
 PROPOSAL
  
 When a recipient detects an SPF or DKIM problem, it can provide immediate 
feedback to the sender with message status codes.  I think these are a 
complete list of the conditions which would need a result status defined.   
The approach should be entirely upward-compatible with the existing 
infrastructure.
  
  Message Success with SPF warning
        Accepted despite SPF=NONE & Source IP not in MX list    Accepted 
despite 
SPF=NEUTRAL     Accepted despite SPF=SOFTFAIL   Accepted despite SPF=FAIL 
        Accepted despite SPF TempError  Accepted despite SPF PermError 
 Message PermFail because of SPF
        Rejected because of SPF=NONE & Source IP not in MX list         
Rejected 
because of SPF=NEUTRAL  Rejected because of SPF=SOFTFAIL        Rejected 
because 
of SPF=FAIL     Rejected because of SPF TempError       Rejected because of SPF 
PermError 
 Message TempFail because of SPF
        TempFail due to SPF TempError 
  
  Message accepted despite DKIM
        Accepted despite DKIM PermError         Accepted despite DKIM TempError 
 Message PermFail because of DKIM (not recommended)
        Rejected because of DKIM PermError      Rejected because of DKIM 
TempError 
 Message TempFail because of DKIM
        TempFail because of DKIM TempFail 
  
 Since DMARC evaluation is based on SPF and DKIM evaluated together, the 
above codes would seem applicable even with DMARC enforcement.   I think 
these additional codes should be sufficient:
        DMARC PermError (invalid policy record)         DMARC TempError 
(problem 
retrieving policy record.) 
 Is this reasonable?
  
 Doug Foster
  

  


_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to