On Wed 24/Aug/2022 21:40:20 +0200 Barry Leiba wrote:
I think “SHOULD do what the domain owner says” is too strong, and
propose to change it. By making it that strong we vary from the
policy that recipients use all the input they have to make their
handling decision, and we tell them that using this input alone is
normatively required for interoperability/security. I think that’s
wrong.
I suggest this alternative text:
NEW
A Mail Receiver implementing the DMARC mechanism gets the Domain
Owner’s or PSO's published DMARC Domain Owner Assessment Policy
when a message fails the DMARC test, and uses it as an important
factor in deciding how to handle the message.
I agree that blindly following the remote policy is a hazard. (Personally,
I enable that on a restricted set of domains only.) However, the above
text is too generic and slightly inexact. You actually get the policy
/before/ concluding the evaluation. DMARC result is an important factor
also if it is a pass or a none.
The above snippet can be skipped.
Mail Receivers
should make a best-effort attempt to comply with the published
policy, but email streams can be complicated (due to forwarding,
existing RFC5322.From domain-spoofing services, etc.) and Mail
Receivers may have other information that can inform their
decisions.
Agree to non-2119 expression.
When Mail Receivers deviate from a published Domain Owner
Assessment Policy during message processing they SHOULD make
available the fact of and reason for the deviation to the Domain
Owner via feedback reporting, specifically using the
"PolicyOverride" feature of the aggregate report defined in
[DMARC-Aggregate-Reporting].
END
Fine.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
