On Tue, Aug 23, 2022 at 4:52 AM Douglas Foster <
[email protected]> wrote:
> As best I understand the chair position, DMARC supports domain owners:
> - via PASS, which might improve delivery rates, and more importantly
> - via FAIL, by providing a way to deflect blame and liability when others
> are harmed by messages impersonating the domain's identity.
> This requires a DMARC policy, because the DMARC policy for deflecting
> blame.
>
"providing a way to deflect blame" strikes me as markedly more cynical than
any intent I've ever heard ascribed to DMARC by the people developing it.
I agree that it supports domain owners in the sense that it is (and was
always intended to be) a mechanism by which a domain owner makes a request
to message verifiers to handle their mail in a certain way.
> My definition of DMARC supports evaluators
> - via PASS, by helping ensure that they accept all messages from wanted
> senders,
> - via FAIL, by obstructing attempts to avoid harm to themselves from
> messages impersonating a trusted domain's identity.
> The DMARC policy is useful when present but not required.
>
> I don't think you can use the charter to reject my definition.
>
I believe your "policy is useful when present but not required" remark is a
re-statement of your claim that DMARC should yield a "pass" for any aligned
identifier irrespective of the presence or absence of a published policy.
However, the charter, at paragraph 4, demands that any change made by this
working group which does not preserve compatibility with the deployed base
has to be justified. If suddenly the absence of a published policy can
result in a DMARC "pass" or "fail" when this was not previously the case,
and this results in different handling decisions by receivers, I would say
compatibility has not been preserved.
The working group is able to make that change, but (a) consensus must exist
to do so, and (b) we need to justify the resulting potential disruption
adequately.
> The market has already rejected the narrow definition of DMARC.
>
It strikes me that if that were true, we wouldn't be having this
conversation, yet here we are.
> Finally, you seem to overestimate the value of the sender's disposition
> instructions. Based on data that others have reported to the group, the
> vast majority of published dispositions are currently NONE, so they add no
> value. On the other hand, anyone who has tried to enforce sender
> authentication also learns that there are a variety of situations that
> require exceptions because the FAILed message is still an acceptable one.
> So p=reject does not carry much weight with me either.
>
There are countless messages in my inbox for which SPF is "pass" and DKIM
is "fail", or vice-versa. Neither is dispositive. Are those pieces of
data also therefore useless? You're free to ascribe them no weight if you
wish, but other operators disagree.
> In short, some messages can be verified as PASS based on exact match,
> without a policy. Other messages can be verified as FAIL, without a
> policy, because they don't align at all. ("Sendgrid.net" does not align
> with "Example.com".) The policy adds value when it is present, but it is
> not required. Expecting evaluators to ignore this information is
> unreasonable. Using this document in an effort to prevent them from
> knowing that they should do so is unacceptable.
>
I submit that your repeated accusations of pernicious intent are not
constructive.
-MSK
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
