On 6 Dec 2020, at 21:18, John Levine wrote:
In article
<cal0qlwb3plvfkoiukey38kk9weiesbyzciby72ls5yrwn6e...@mail.gmail.com>
you write:
As I recall, people took a run at trying ADSP and it was largely
unsuccessful. I recall at least Yahoo, PayPal, and Google trying it
but
finding that it interfered with their employees' participation in
lists, so
they each invented new domains for their employees to use as separate
from
their operational public services. This basically led to its demise.
IIRC, Yahoo! And Google had separate domains for their employees well
before ADSP. Which makes sense, because you want to differentiate your
employees from your customers. Although I’m not sure that matters
here.
Among ADSP's shortcomings was that there was no way to test it other
than to turn it on and see how much damage it caused. The answer was
frequently a lot, so they turned it back off and that was that.
DMARC certainly has its problems but the reporting is great. It makes
the surprises when you turn DMARC on a lot less, at least if your name
is not AOL or Yahoo.
Agree, the reporting is great. But so much of the marketing/mandates I
see around DMARC doesn’t tell domain owners to turn on reporting first
to see what’s broken, it tells them to publish a DMARC p=reject policy
because they have a security vulnerability if they don’t. If the
guidance around DMARC was to publish a p=reject policy only “if it’s
safe to do so” (meaning mostly for transactional domains), I’d be a
lot happier with it.
-Jim
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
