On Thu 19/Aug/2021 20:23:50 +0200 Todd Herr wrote:
Greetings.
Opening a discussion on two tickets at once, because I think they're
related, especially as presented in the current revision of DMARCbis.
Both topics are addressed in Section 8, Minimum Implementations, which
currently reads in its entirety:
8. Minimum Implementations
Domain owners, mediators, and mail receivers can all claim to
implement DMARC, but what that means will depend on their role in the
transmission of mail. To remove any ambiguity from the claims, this
document specifies the following minimum criteria that must be met
for each agent to rightly claim to be "implementing DMARC".
Domain Owner: To implement DMARC, a Domain Owner MUST configure its
domain to convey its concern that unauthenticated mail be rejected or
at least treated with suspicion. This means that it MUST publish a
policy record that:
* Has a p tag with a value of 'quarantine' or 'reject'
IMHO this is too much, given the current situation with mailing lists
(a.k.a. mediators.) First problem, mail sites with lots of mailing
list traffic would compulsorily have to set pct=0, which shouldn't be
a requirement. Second problem, pct=0 forces mailing lists to rewrite
From:, and that way the domain owner misses all the feedback resulting
from mailing lists spread.
For the first problem, I propose an intermediate value, p=validate.
It is meant for first hops only, and mediators in particular. A
mediator should reject posts failing DMARC check if p=validate.
Normal receivers should ignore p=validate unless they know they're
routinely going to resend the message to external users (i.e. unless
they're mediators.)
For the second problem, we'd need a way to ask for reports even after
From: rewriting.
Mediator: To implement DMARC, a mediator MUST do the following before
passing the message to the next hop or rejecting it as appropriate:
* Perform DMARC validation checks on inbound mail
* Perform validation on any authentication checks recorded by
previous mediators.
A MUST here wants at a minimum a specification of how can one validate
authentication checks, and how can previous mediators be recognized
and trusted.
Mail Receiver: To implement DMARC, a mail receiver MUST do the
following:
* Perform DMARC validation checks on inbound mail
* Perform validation checks on any authentication check results
recorded by mediators that handled the message prior to its
reaching the Mail Receiver.
See above. Requiring ARC to implement DMARC is overblown, especially
since you need a full blown global reputation system to trust ARC
assertions.
* Send aggregate reports to Domain Owners at least every 24 hours
when a minimum of 100 messages with that domain in the
RFC5322.From header field have been seen during the reporting
period
Please drop that 100 messages. Is it a way to say that feedback from
personal and SOHO domains is not needed?
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
