I understood Neil's concern, and have no objection, which is why I counterproposed "must not".
On Wed, Oct 19, 2022, 8:42 PM Neil Anuskiewicz <[email protected]> wrote: > > > > On Oct 19, 2022, at 6:59 AM, Scott Kitterman <[email protected]> > wrote: > > > > > > > >> On October 19, 2022 12:44:16 PM UTC, Dotzero <[email protected]> wrote: > >> On Tue, Oct 18, 2022 at 11:18 PM Scott Kitterman <[email protected]> > >> wrote: > >> > >>> > >>> > >>> On October 18, 2022 10:16:44 PM UTC, Neil Anuskiewicz < > >>> [email protected]> wrote: > >>>> > >>>> > >>>>> On Oct 2, 2022, at 11:01 AM, Douglas Foster < > >>> [email protected]> wrote: > >>>>> > >>>>> > >>>>> In many cases, an evaluator can determine a DMARC PASS result without > >>> evaluating every available identifier. > >>>>> If a message has SPF PASS with acceptable alignment, the evaluator > has > >>> no need to evaluate any DKIM signatures to know that the message > produces > >>> DMARC PASS. > >>>> I think it’s critical to DMARC that receivers do things like evaluate > and > >>> report on DKIM whether or not SPF passes and is alignment. Without > this, it > >>> would make it harder for senders to notice and remediate gaps in their > >>> authentication. Since there’s not a downside (that I know of), I’d say > this > >>> should be a MUST if at all possible. > >>> > >>> > >>> What is the interoperability problem that happens if evaluators don't > do > >>> that? > >>> > >>> Scott K > >>> > >> > >> Scott, What is the interoperability problem is evaluators didn't provide > >> reports at all? Reporting isn't a "must" for interoperability but it > >> certainly helps improve outcomes instead of senders flying blind. > > > > I read the email as suggesting a MUST for reporting both SPF and DKIM > results if you report results at all, which would, I think lead to exactly > the situation you're concerned about. I'm skeptical of any kind of MUST > around reporting since that's generally reserved for things that impact > interoperability. I do agree it should be encouraged. > > > > Mostly, at the moment, I'm trying to understand the proposed change and > the rationale. > > I think the reactions were to the tone that that seemed to suggest that > the importance of reporting was being downplayed. MUST is too strong and > strongly encouraged is sufficient. The standards system relies on people > making a good faith effort. To me, Doug’s comments came off as wanting to > weaken the language which concerned me. > > Reporting is key for DMARC to work as a system so any hint of weakening > that language or even could be interpreted as such caught my attention. I > think Doug clarified his position as addressing specific cases not a > weakening of the reporting language. > > DMARC is about the interests of the system but following the standard > strengthens the system within which the sender or receiver operates. Even > if one wasn’t interested in the health of system in and of itself, > reporting benefits the admin as it increases security and reduces broken > authentication. A *LOT* of Senders use reporting data as part of the > process of fixing their own and third party senders they wish to allow or > spoof, discovering errant shadow IT, etc. > > Reporting is or core importance for everyone if for no other reason than > to avoid headaches. Thanks. > > Neil > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
