> On 21 Nov 2022, at 01:13, Murray S. Kucherawy <[email protected]> wrote: > > On Sun, Nov 20, 2022 at 11:33 AM Douglas Foster > <[email protected] > <mailto:[email protected]>> wrote: > That is helpful, thank you. It says to me that their non-participation does > not have any direct implications for what we are trying to do. > > Specifically, it is not that DMARC has too many false positives, or that the > processing effort is unacceptable. It is simply a reflection of their > assessment that valuable information should be purchased from them, not given > away for free. > > I think this is a bit of a cynical viewpoint. There are other simpler > reasons not to participate in reporting. Off the top of my head: > > 1) It is a non-trivial compute, storage, and maintenance cost a report > generator has to undertake, proportional to the amount of mail they handle, > and is done largely for the benefit of others. > > 2) The policy part of the protocol works just fine, and is a benefit, without > the reporting component. > > 3) There are risks of privacy leaks, either actual or perceived (or both). > > Many operators' business models would find any one of these hard to swallow, > much less all of them in combination.
I repeat what I said previously: There is no reason we have to link reporting and policy enforcement for recipient systems. If we start saying “you have to send reports if you evaluate DMARC” then it’s not going to lead to more people sending reports but may lead to fewer people enforcing policy or folks just ignoring the spec. Neither seems a good result to me. Overall, we cannot assume that organizations that are sending reports are enforcing DMARC policy - I have seen DMARC Fail/Fail, policy p=reject, disposition inbox in some reports. Nor can we assume that organizations that are not sending reports are not evaluating / enforcing policy. laura -- The Delivery Experts Laura Atkins Word to the Wise [email protected] Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
