Hi, On Tue 06/Jul/2021 14:45:35 +0200 Todd Herr wrote:
The theoretical goal of any domain owner that publishes a DMARC record is to transition from an initial policy of p=none to a final one of p=reject, because it is only at p=reject that DMARC's intended purpose of preventing same-domain spoofing can be fully realized.
I slightly disagree on that. Both p=none and p=quarantine have their own merits, and the transition can take a very long time.
Getting to p=reject isn't a difficult undertaking, at least from a technical standpoint. Enumerate all your mail streams, ensure that they're authenticating properly, and boom, you're done.
I keep seeing authentication failures on mailing lists. Speaking for myself, MLs constitute a relevant percentage of my mail traffic. I'm going to stay at p=none (or maybe p=quarantine; pct=0) until that is fixed.
The purpose of this email is to get folks thinking about possibly simplifying the ratchet mechanisms, perhaps boiling them down into one.
I'd rather propose to add another p= level, in between p=none and p=quarantine. I'd want receivers to reject my mail if it fails authentication, but only on the first hop. In particular, I'd want mailing lists (whether or not doing From: munging) to reject unauthenticated messages claiming to come from me. (And, given that it's hard to specify "first hop", it would be fine to word such policy as "reject by MLMs only".)
Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
