Re: [dmarc-ietf] Policy Enforcement Considerations

Tue, 19 Sep 2023 08:24:45 -0700 

On Tue 19/Sep/2023 16:41:41 +0200 Barry Leiba wrote:

Indeed.  Besides content filtering there could be knowledge that the
message came from a mailing list, there could be ARC or another
mechanism of that nature, there could be knowledge of the sending
domain and its user base, there could be knowledge of the specific
recipient and her preferences, there could be allow lists of various
sorts based on sender or recipient, and I'm sure there are additional
things I haven't thought of here.




My intention was to include all the cases you cite, except content filtering. 
Why did you have the impression that «additional knowledge and mechanisms» 
would exclude ARC or another mechanism of that nature?




And how are we "respecting the semantics" if we're not rejecting as
requested?



The semantics is respected when the forwarder checks DMARC and applies the 
policy, up to acceptable exceptions.  This list, for one, doesn't —as the 
innumerous example posted here prove.




[...]
On Tue, Sep 19, 2023 at 5:20 AM Scott Kitterman <[email protected]> wrote:

[...]
"The combined effort of Mail Receivers and Forwarders ...", for example, leaves 
out mailing lists, which is one of the things you said you were trying to solve.




Uh, I meant «Forwarders» to cover any kind of forwarding, including mailing 
lists.  I had hoped that having said «Mailing lists, and forwarding in general» 
would have conveyed the idea.



My wording can certainly be improved.  Before denying the idea, please consider 
a couple of facts:



1) We want ARC to override DMARC, yet we don't say so.  Not in such a way that, 
when a receivers does so, he can say he's following the letter of the protocol.



2) Content filtering cannot override DMARC, can it?  By "override", I mean the 
author domain publishes a hard policy, both SPF and DKIM fail, and there is no 
deterministic sign (signature or IP) that the message comes from a recognized 
forwarder (including MLs).  What kind of content could ever suggest that a 
receiver conscientiously overrides DMARC?



"Other knowledge and analysis", as currently in the draft, certainly includes 
content filtering.  Do we mean it?  Can we think of an example?  In fact, 
receivers don't enforce the policy because they have no idea of who the 
legitimate forwarders are, which is neither content filtering nor additional 
knowledge.



Best
Ale
--






_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc






















					Reply via email to