On Fri 17/Dec/2021 18:38:54 +0100 Tim Wicinski wrote:
On Fri, Dec 17, 2021 at 12:30 PM Dotzero <[email protected]> wrote:
DMARC does not assess "honesty" nor does it assess "fraudulence". It only
determines whether something passes or fails the validation check. You are
apparently trying to overload your value interpretations in a manner that
does not exist in the standard.
Thank you Michael, for reminding me of this. DMARC provides a result
based on a collection of tests, and it is up to the receiver of the email
whether they choose to accept the email or to reject it.
Yet, honesty and legitimacy are somewhat similar, and we do foremost consider
the latter aspect:
DMARC is designed to prevent bad actors from sending mail that claims
to come from legitimate senders, particularly senders of
transactional email (official mail that is about business
transactions).
Of course, if the From: domain doesn't exist at all, it cannot have a DMARC
record. However, according to the formal definition of Section 3.6.2, a
non-existing domain can pass all DMARC tests. IMHO, that is a gray area which,
together with the null MX case, deserves being mentioned somewhere, in the same
section, in Security Considerations or in an appendix.
Another difficulty of this subject might lay in the distinction between
non-existing addresses and non-existing domains. The SPF side of DMARC
conflates those concept; and indeed "call" tests —part of other legitimacy
assessments— are usually performed of the envelope address. No-reply From:
addresses have now become part of everyday life, but AFAIUI some hold that
non-existent From: domains are legit too. Does that such concern touch the
question too?
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
