On Sun 01/Aug/2021 01:47:12 +0200 Douglas Foster wrote:
My core objection is the partial-enforcement algorithm. I cannot believe that
it would be wise for me, or any other receiver, to implement that algorithm.
Why not? What's wrong with it?
if DMARC fail and (p=quarantine or p=reject) then
if (random mod 100) < pct then
apply policy
In the face of ambiguity, the only way to get a correct disposition is to
collect more data. If I had more time, I would quarantine all
unauthenticated mail until I could determine whether the sender should be
authenticated by local policy or blacklisted by local policy.
If you collect millions DMARC-fail messages every day for some years and
calculate the exact percentage you will get the same result as the algorithm
above applied on each message as it arrives. See:
https://en.wikipedia.org/wiki/Monte_Carlo_method#Overview
If you collect unauthenticated message, besides the implied delay, you'll have
the problem of selecting which ones to select until the percentage is
fulfilled. The first ones? Distribute evenly in time or in size? Select the
ones with highest score? Luckily we don't have to do so.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
