On 1/26/21 1:01 PM, Steven M Jones wrote:
On 1/26/21 11:24, Michael Thomas wrote:
Here's a very basic question: if I do not know all of the IP addresses
that send on my behalf, are DMARC reports of any value?
No, an organization is not assumed to have perfect knowledge of all
their authorized sending sources. If that were common, there would have
been much less need for DMARC in the first place.
In order to move from p=none to p=reject it seems like you need to know
that. One of the big advantages of DKIM is that you don't need to have
know the network configuration of outsiders; you just add a selector for
them. Not accommodating people who don't or can't know all of the
legitimate IP addresses seems like a defect in the design/architecture
of DMARC reporting, and leads to why it can be attacked in the way I
described.
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
