On 6 Jul 2021, at 5:45, Todd Herr wrote:
Greetings.
The theoretical goal of any domain owner that publishes a DMARC record
is
to transition from an initial policy of p=none to a final one of
p=reject,
because it is only at p=reject that DMARC's intended purpose of
preventing
same-domain spoofing can be fully realized.
*Any* domain owner? That is not a goal of any of my domains.
A DMARC record should reflect the sending behavior of the domain it’s
associated with. If the domain, for any number of reasons, does not have
the ability to authenticate all of its outgoing mail in an aligned way,
it should either publish p=none and leave it at that, or not publish a
DMARC record at all (if it doesn’t want any reports).
-Jim
P.S. What I think you are describing here is what I consider the
converse of a ratchet. A ratchet allows movement in one direction, not
the other, and you seem to be talking about going from a p=reject policy
back to something less strict if there is a problem.
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
