On Wed, Jul 19, 2023 at 6:31 PM Douglas Foster < [email protected]> wrote:
> I don't take DMARC as a certain result to be used in isolation, but > clearly a quorum evaluators do, and hence the mailing list problem that has > caused such consternation. > > If we want to diminish their numbers, we have to communicate very > differently than RFC 7489. > > My problem with your favorite line is that the domain owner's preference > is of no interest to my filtering decision, but the DMARC result is. > Since even before SPF, people have been looking for a silver bullet to stop spam and phishing. I'm not surprised to hear that there are products out there that promise or implement such, despite the specifications not actually saying this is a good idea, or even (in DKIM's case, I believe) being rather explicit that it isn't. I don't think anyone is disputing that the DMARC result by itself is not a clear answer about what one should do upon receiving a message. The only time you really know something is when DMARC passes, but even that isn't a strong signal about the content of the message. All other answers are muddy, and should be treated that way. If DMARCbis needs to make this more explicit, I don't see a problem with doing so. I think a DMARC-aware product that's reject-on-fail by default has made a questionable choice, and not making that configurable is doubly so. However, I don't think an evaluator should be looking at the "p=" value and then trying to infer anything about the sending domain solely from that. This, to me, is crystal ball territory. We should omit it from our calculus. -MSK, participating
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
