On April 19, 2023 1:37:25 PM UTC, Laura Atkins <la...@wordtothewise.com> wrote: > > >> On 19 Apr 2023, at 14:20, John Levine <jo...@taugh.com> wrote: >> >> It appears that Jesse Thompson <z...@fastmail.com> said: >>> -=-=-=-=-=- >>> >>> On Mon, Apr 17, 2023, at 8:37 AM, Laura Atkins wrote: >>>> Should the IETF make the interoperability recommendation that SaaS >>>> providers who send mail on behalf of companies support >>> aligned authentication? That means custom SPF domains and custom DKIM >>> signatures. >>>> >>>> And if they can’t, then do we make a different recommendation regarding >>>> spoofed mail that evades a company’s DMARC policy? >>> >>> +1 to this question. It's entirely unclear to ESPs whether they're allowed >>> to spoof a domain that has no DMARC policy. ESPs >>> can furthermore conclude that Domain Owners who publish p=reject|quarantine >>> are violating DMARCbis, and subsequentlly the >>> domain's policy declaration is invalid, and can be ignored. >> >> Please see my previous comment about trying to enumerate every dumb thing >> people might do. >> >> I very strenuously do not want us trying to guess how ESPs think nor >> offering them advice beyond >> the interop advice we offer everyone else. > >That was my question: is it an interop issue that ESPs (whether they be your >traditional ESP or a SaaS provider that sends mail on behalf of their >customers) cannot support custom domains in the SPF and DKIM and thus cannot >support DMARC? Many of the current companies have made the decision that >supporting DMARC is too hard, and so what they do is use their own domain for >DMARC (some publish restrictive polices and some don’t). > >> In this specific case, if the company publishes p=reject, and they hire an >> ESP, and the company >> is too inept to figure out how to let the ESP send aligned mail, well, yeah, >> then the company's >> actual policy is clearly not their published policy, and the ESP can do >> whatever it wants. So >> let's not go there. > > >To me it’s not so much the company can’t delegate authentication - it’s how >many SaaS providers (some of which are ESPs and some of which are 3rd parties >that send through ESPs) are incapable of supporting DMARC alignment. Not it’s >hard, not it’s challenging, but simply … can’t. They cannot sign with foreign >DKIM domains, and they cannot support different domains for SPF >authentication. > >Should DMARCbis make the recommendation that if you are providing mail >services that you SHOULD be able to support corporate customers using DMARC? > No. I don't think so, certainly not in DMARCbis.
There may be room for an email authentication BCP and this might fit in there, but I think that's something to think about after we get the current work done. The current DKIM working group topic might also be something that should be addressed in such a BCP. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc