You misconstrue. This is not about guesswork. SPF PASS and DKIM VERIFIED provide proxy verification of the From address, comparable to a badge reader authenticating an employee, or perhaps more closely, a notary seal with attestation validating a document signature.
DMARC policy primarily provides guidance for failure handling, similar to an intrusion alarm for a badge reader. An alarm without a reader is useless, but a reader without an alarm is still a reader. There is a small overlap in roles when relaxed authentication is used, but exact match has no dependency on the DMARC policy. A message can only have two states: (1) verified free of impersonation risk, or (2) not verified free of impersonation risk. Any message that cannot be verified by some method is in group 2. Putting a message in group 2, when the evidence says otherwise, is simply bad system administration. The chairs define the scope, so I accept defeat, but not because the chosen scope makes any sense to me DF On Mon, Aug 8, 2022, 1:38 PM Scott Kitterman <[email protected]> wrote: > On Monday, August 8, 2022 9:10:22 AM EDT Barry Leiba wrote: > > > What I am hearing is: > > > > > > "DMARC permits evaluators to meet the needs of certain domain owners, > > > specifically domain owners who publish a DMARC policy." > > > > > > I am disappointed with the perceived indifference to the needs of > > > evaluators. > > There's a reason for that: DMARC was designed for senders to publish > > policy and for evaluators to evaluate based on the published policy. > > DMARC was not designed for evaluators to assume anything when no > > policy is published. > > > > It's valid to want some system where recipients can evaluate things on > > their own, absent anything published by senders (this is, for example, > > what "best-guess SPF" was). But that isn't DMARC, and DMARC was never > > meant to handle that. > > Agreed. > > Every attempt to do something like this has ended badly. Heuristics which > may, at first glance, appear useful don't generalize well. As an example, > I > understand that some have suggested taking "advantage" of policies for > "equivalent domains" under different PSDs. The problem is that there's no > guarantee of any relationship. If anyone doubts it, feel free to > replicate my > experience when I accidentally typed python.com into a browser instead of > python.org. I would, however, strongly suggest not doing at work, or on > an > employer provided/monitored device or network. It's nothing to do with > Python, the programming language. > > Scott K > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
