We have established that the normative implementation of DMARC is (unfortunately) a fully-automated solution which implements RFC 7489 exactly and nothing more. These implementations block unconditionally on Fail with Reject, and have minimal effect on disposition otherwise. With any level of intelligent disposition auditing, we would not have the mailing list problem.
DMARC's brilliance was the use of an authenticated identifier to provide proxy verification of another identifier. It is the identifiers that provide the authentication, not the policy. The policy influences only the strictness of the alignment rule. This means that any message with strict alignment on SPF PASS or DKIM PASS is DMARC authenticated, with or without a policy. "No result" in this situation is the result of a choice, but not a necessary one, and not one that is easily justified. For those who have implemented to the specification, "No Result" means "Content Filtering must carry the whole load," which it cannot do. So I reject the notion that "No Result" is harmless. Doug Foster On Sun, Sep 17, 2023 at 5:29 PM Murray S. Kucherawy <[email protected]> wrote: > On Sun, Sep 17, 2023 at 11:04 AM Douglas Foster < > [email protected]> wrote: > >> You misunderstsnd my position. I don't expect a world where perfect >> information is dropped in my lap without any effort on my part. Not now, >> not ever. >> >> I have determined, by measurement, that unauthenticated mail is a much >> smaller percentage of all mail than one might expect. This makes >> inspection of unauthenticated mail both feasible and productive. >> >> But DMARC hinders this discovery by pretending that mail can only be >> authenticated if a policy is found. >> > > There's no assertion by DMARC of the nature you're describing. > Specifically, when no policy is found, there is no DMARC outcome to be > considered; a receiver must rely on other metrics or heuristics to make its > handling decisions. > > I don't see that as a hindrance; I see it as merely outside of the scope > of what DMARC intends (or is able) to solve. > > >> Investigation wil prevent unwanted blocks while exposing a lot of >> unwanted traffic. Evaluators who are unwilling to make the effort to >> investigate are taking unnecesary risks which are likely to hurt them, >> sooner or later. >> > > This sounds like it might be sage advice, but it exceeds the scope of > DMARC (or DKIM, or SPF, or ARC). > > -MSK, p11g >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
