On 12/7/20 4:44 PM, Dave Warren wrote:
On Sun, Dec 6, 2020, at 22:31, Michael Thomas wrote:
there are clearly many use cases where that isn't a problem -- like bank
transactional mail -- and ADSP was just fine for that.
There were still surprises to be had here. I still, to this day, find mail
direct from various senders that are wanted by the recipient but that fails SPF
without forwarding (with a -all) or hits a dmarc=reject. I quarantine such for
review and release to users as needed.
Obviously lots is spam, or forwarding that broke SPF or whatever, but just as
often it is a small piece of a big company doing something without fully
understanding how modern email works. Oddly it is often security sensitive
stuff, not crazy long ago it was Facebook password resets, often it is 2FA
codes (which are probably going through a separate channel to get immediate
delivery without risking backlog?), and other reasonably important things from
parts of the company that I would expect to be at least moderately aware of the
email security world.
I agree that ADSP was theoretically fine for this type of use, but in practice,
DMARC's feedback simplifies things a lot when a client complains their outbound
mail isn't making it and we can quickly see what is being rejected.
it is an imperfect world.
I fear that DMARC's reporting only confirmed the obvious: this is hard.
It gave numbers to anecdotes. That's really useful, don't get me wrong.
Hopefully it can be used to suss out how to demarcate the long tail of
don't care use cases.
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
