On 2/1/21 4:05 PM, Dotzero wrote:
On Mon, Feb 1, 2021 at 6:49 PM Michael Thomas <[email protected] <mailto:[email protected]>> wrote:On 2/1/21 3:23 PM, Dave Crocker wrote: > On 2/1/2021 3:21 PM, John Levine wrote: >> I find it hard to believe that if you are going to enough effort to >> maintain the data to create and send reports, you can't figure out how >> to install an SPF record for your reporting domain. > > Except that the tracking/reporting functions are completely separate > from the 'signing' side of DMARC and could easily be different parts > of a company. > > d/ > It strains credulity that one part of a company would want to send out reports when some other can't even sign their email. Both need access to the email stream for starters.It doesn't strain my credulity at all. You are assuming a single mail stream. I saw it at my own employer before we got centralized control of DNS and implemented email authentication. I actually know of one company where several hundred thousand dollars of marketing emails ended up not getting through because a marketer thought they could evade corporate policy and the ESP gladly took the money even though the mail was getting rejected. It's a crazy world out there.
So we're supposed to ignore security considerations because... some companies are a mess? That's what this really boils down to. If we're writing specs for the least common denominator we might just as well stop. But we're not, nor have we ever.
Mike
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
