I understand that under the current specification, PCT has been useful because P=NONE with PCT=100 produces different results than QUARANTINE with PCT=0. This is an anomaly that I would hope we can fix, but if not, we need to specify that the only valid settings are PCT=0 or PCT=100. The specification should force numbers between 1 and 99 to be interpreted as either 0 or 100.
The current PCT specification is fatally flawed because the denominator is undefined and unstable. Suppose that a domain owner concludes that most but not all of his traffic will produce DMARC PASS. Should the percentage be based on message volume or Source IP counts? Either way, the volume distribution received by any single evaluator will be different than the volume distribution sent out. But the larger problem is that the evaluator is performing a conditional probability, because the policy is only applied to messages that produce DMARC FAIL. If there is no impersonation, an unauthenticated message has a 100% probability of being legitimate. The denominator is determined by the volume of impersonation messages, not by the volume of legitimate messages. The percentage offered by the sending domain owner is useless. Next, assume that an accurate probability can be determined, and that 80% of unauthenticated messages are legitimate and 20% are impersonations. Does it make sense to apply that probability rule to message disposition? It will produce these results: Legitimate and DMARC ignored, message accepted = 80%*80% = 64% of total Legitimate and DMARC enforced, message blocked = 80%*20% = 16% of total Impersonation and DMARC ignored, message accepted = 20%*80% = 16% of total Impersonation and DMARC enforced, message blocked = 20%*20% = 4% of total Therefore, the correct decision is applied only 68% of the time, and the wrong decision is applied 32% of the time. This is unsatisfactory for protecting against ransomware, and also unsatisfactory for reliably delivering wanted messages. The actual volume of impersonating messages will be determined by the spammer, not by the domain owner, so the whole notion of choosing a percentage is flawed. The domain owner does not have the information needed to provide a usable percentage. The message evaluator can only determine the percentage by carefully examining many messages and categorizing the source. Once the source is categorized, guessing is no longer necessary and the percentage is irrelevant. Doug Foster
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
