>> >> > > I think it is a mistake to consider technologies such as SPF, DKIM, and DMARC > as anti-spam. They are a component of spam mitigation, but authentication of > an identifier isn't a solution for spam. Meng Wong (for those of you that > weren't around, he's the one that synthesized SPF out of previous proposals > and was the early leader of the SPF project) used to say that SPF is not > anti-spam in the same way that flour is not food. I think that extends to > DKIM and DMARC as well. > > The challenge with the argument that this is brand protection, so the brand > owner should decide is that it's primarily the receiver that needs to invest > in integrating these technologies into their systems and accept the > inevitable support burden that comes with them. The brand owner wants > something from the receiver, so it needs to be simple and reliable enough to > be worthwhile. > > SPF includes a policy mechanism so that receivers can reject mail that is not > authorized by SPF. Outside of small sites with a lot of control over their > mail stream, it's almost never used . It was tried and for large providers > with a heterogeneous user base it wasn't cost effective to support due to the > number of false positives and the associated tech support costs. > > DMARC seems to be heading the same way due to domains using p=reject that (at > least in my opinion) shouldn't. > > Since there are no internet police, deployment of these technologies is a > matter of incentives. We do protocol design, not economics, so it's a tough > problem in the IETF context, but we need to keep it in mind. Getting the > incentives right is probably the most important, but least tractable part of > https://www.ietf.org/mailman/listinfo/dmarc
I agree that none of this primarily anti spam. It’s pro brand rep and anti fraud. I saw what happened with SPF and how it seemed completely random who would decide to enforce on hardfail. I recall a client losing mail as they used a hard fail and suddenly one of the more well known hosting companies started honoring hard fails which was a fiasco for my client who had just copied and pasted the -all in without thought to the implications. The outcomes were bad in a random way. It wasn’t hard to persuade him back to soft fail. I feel with dmarc people come to recognize dmarc as the policy layer. SPF had too much responsibility. When one goes to p=reject one’s palms get sweaty. It’s clearly the policy layer unlike -all which was a bit too subtle way to communicate policy intent. Dmarc has the intuitive grok advantage. I hope you’re wrong or that there’s a way to mitigate this problem you speak of. As I remember that as a time of confusion. Confusion and chaos are our foes. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
