On 7 Sep 2023, at 9:28, Wei Chuang wrote:
Many enterprises already have "p=reject" policies. Presumably those domains were subject to some sort of spoofing which is why they went to such a strict policy.
This is not necessarily the case. For example, DHS has [directed](https://www.cisa.gov/news-events/directives/bod-18-01-enhance-email-and-web-security) all Executive Branch federal agencies to publish a policy of reject, regardless of whether they were subject to spoofing (and with no mention of the problems with doing so. Others have published “Email Security Best Practices” advocating the use of p=reject. For example, one well-known email vendor has a tool that generates a warning if p=quarantine or p=reject isn’t configured, and says on their website, “We recommend reject, for reasons we’ll touch on later.”
I agree that the SHOULD language is not very useful because it’s likely to be interpreted as only advice. Instead, I think we need a stronger statement about the consequences of this policy. For example, “Domains publishing p=reject MUST NOT expect mail to mailing lists and similar forwarders to be delivered reliably.”
-Jim
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
