On Sun, Dec 6, 2020, at 22:31, Michael Thomas wrote: > there are clearly many use cases where that isn't a problem -- like bank > transactional mail -- and ADSP was just fine for that.
There were still surprises to be had here. I still, to this day, find mail direct from various senders that are wanted by the recipient but that fails SPF without forwarding (with a -all) or hits a dmarc=reject. I quarantine such for review and release to users as needed. Obviously lots is spam, or forwarding that broke SPF or whatever, but just as often it is a small piece of a big company doing something without fully understanding how modern email works. Oddly it is often security sensitive stuff, not crazy long ago it was Facebook password resets, often it is 2FA codes (which are probably going through a separate channel to get immediate delivery without risking backlog?), and other reasonably important things from parts of the company that I would expect to be at least moderately aware of the email security world. I agree that ADSP was theoretically fine for this type of use, but in practice, DMARC's feedback simplifies things a lot when a client complains their outbound mail isn't making it and we can quickly see what is being rejected. it is an imperfect world. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
