Post Scriptum: DMARC can say one of two things: -- all mails for a domain are DKIM-signed and aligned, according to the domain owner -- not all mails for a domain are DKIM-signed and aligned (e.g. when the DMARC policy is absent, or p=none) according to the domain owner
Does the DMARC specification need to propose what to do with emails in the first case above, when the DKIM-signature is not-valid/aligned? Some people will say yes. I say no: there is no need to give one of two possible advices on this (and there is no means to enforce the advice) Anyway, as I said I do not expect any consensus on this. Please consider including in the DMARC specificaiton a discussion on what is reasonable, e.g as outlined in the email below, and elaborate pros and cons on r=reject and r=quarantine. As the topic is controversal, it shall be presented as controversal in the specification. I do not follow the discussions here, I suppose that by now is addressed, that „p=quarantine;pct=0“ should be interperted as „do MLM- mungling”, and p=none to mean „no MLM mungling”. ⇐⇐⇐⇐⇐ From: Vladimir Dubrovin <[email protected]> To: Dotzero <[email protected]>, Vladimir Dubrovin <[email protected]> CC: IETF DMARC WG <[email protected]>, Дилян Палаузов <[email protected]> Subject: Re: [dmarc-ietf] Abolishing DMARC policy quarantine Date: Fri, 14 Jun 2019 19:25:02 +0300 Nope, I mean 2 different things. 1. Why quarantine is useful (with pct=0). For example this mailing list ([email protected]) performs From rewrite (aka From munging), e.g. [email protected] is replaced with [email protected]. It's because corp.mail.ru has a strict DMARC policy (reject). [email protected] is not overwritten, because gmail.com has p=none and ietf.org only overwrites From only for domains with "quarantine" and "reject" policies. It's quite common behavior. If you are implementing DMARC for a new domain (let's say example.org), you usually start with "p=none". With p=none you receive reports for failed DMARC for different lists, like ietf.org. Before switching to stronger policy (p=reject), you may want to know which mailing list will still fail DMARC, and which lists perform From munging and, as a result, do not fail DMARC. For this purpose, before switching to "p=reject" it's useful to switch to "p=quarantine;pct=0". After this, you will only see mailing lists without From munging in DMARC reports. 2. Why quarantine should not be used with pct different from 0 If you start enforsing strong DMARC policy with "p=reject" and you have some previously uncatched misconfiguration (e.g. wrong envelope-from address in some once-in-the-month mailing), you see DMARC failures in your logs and you can react to this failures and even re-send the messages affected. If you start with "p=quarantine" you have no feedback except reports, and reports are received with a huge lag (up to 2 days) and do not provide sufficient information to catch the exact problem and you can not re-send the quarantined messages. ⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒ On Wed, 2020-12-02 at 13:15 +0200, Дилян Палаузов wrote: > Hello, > > On Tue, 2020-12-01 at 15:55 -0800, Dave Crocker wrote: > > On 12/1/2020 3:17 PM, John R Levine wrote: > > > #39 proposes that we remove p=quarantine. I propose we leave it > > > in, > > > even if it > > > is not very useful, because trying to remove it would be too > > > confusing. > > > > process, I suggest this issue gets some meaningful discussion. My > > email > > archive indicates it hasn't gotten any discussion at all. > > This was discussed under the subject “Abolishing DMARC policy > quarantine” in June 2019. There was no consensus. SMTP offers this > distinciton and this is mirrored in DMARC. In particular, senders > are > free to publish p=quarantine and receipients are free to interpret it > as p=reject. Senders can publish p=reject and receivers are free to > interpret it as p=quarantine. > > Moreover, some destination addresses do not have the concepts of a > quarantine. E.g an address that accepts commands for mailing lists > managements. Such addresses can either accept or reject the message > - > there is no quarantine, so interpreting published p=quarantine as > p=reject is feasible. > > Recalling the discussion from June 2019 I do not count on any > different > consensus, if it the discussion happens here again now. > > Greetings > Дилян _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
