On Wednesday, August 24, 2022 3:41:20 PM EDT Barry Leiba wrote:
> — Section 5.8 —
>
> Mail Receivers MAY choose to accept email that fails the DMARC
> mechanism check even if the published Domain Owner Assessment Policy
> is "reject". Mail Receivers need to make a best effort not to
> increase the likelihood of accepting abusive mail if they choose not
> to honor the published Domain Owner Assessment Policy. At a minimum,
> addition of the Authentication-Results header field (see [RFC8601])
> is RECOMMENDED when delivery of failing mail is done.
>
> As we discussed at IETF 114, I think it’s important that we be a bit
> stronger here, and call the reader’s attention to RFC 7960. Here’s my
> text proposal, going with the “SHOULD” version, rather than the “MUST”
> version:
>
> NEW
> Mail Receivers MAY choose to accept email that fails the DMARC
> mechanism check even if the published Domain Owner Assessment Policy
> is "reject". In particularly, because of considerations discussed
> in [RFC7960], it is important that Mail Receivers SHOULD NOT reject
> messages solely because of a published policy of “reject”, but that
> they apply other knowledge and analysis to avoid rejection of
> legitimate messages, harm to the operation of mailing lists, and
> the like.
>
> Mail Receivers need to make a best effort not to
> increase the likelihood of accepting abusive mail if they choose not
> to honor the published Domain Owner Assessment Policy. At a minimum,
> addition of the Authentication-Results header field (see [RFC8601])
> is RECOMMENDED when delivery of failing mail is done.
> END
>
> (This also needs an informative reference to 7960 added.)
I think this is pretty good, but I think it could be improved further.
Personally I like following SHOULD/SHOULD NOT with unless to make it clear
that this is why it may be OK. Also, I think it ought to either be MUST NOT
reject messages solely because of ... or SHOULD NOT reject messages because of
... since the information after the comma indicates solely due to reject is
never OK. I'm also not a fan of best effort. I think we need to be explicit
about the trade off. How about this instead:
NEW2
Mail Receivers MAY choose to accept email that fails the DMARC
mechanism check even if the published Domain Owner Assessment Policy
is "reject". In particular, because of considerations discussed in
[RFC7960], it is important that Mail Receivers SHOULD NOT reject
messages because of a published policy of “reject”, unless
they apply other knowledge and analysis to avoid rejection of
legitimate messages, harm to the operation of mailing lists, and
the like.
It does increase the likelihood of accepting abusive mail if they choose
not to honor the published Domain Owner Assessment Policy in order to
improve interoperability among mail systems. If mail is delivered which
fails DMARC checks, addition of the Authentication-Results header field
(see [RFC8601]) is RECOMMENDED.
Scott K
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
