On Friday, March 15, 2024 10:15:55 AM EDT Todd Herr wrote: > On Fri, Mar 15, 2024 at 1:47 AM Douglas Foster < > > [email protected]> wrote: > > DMARC is an imperfect tool, as evidenced by the mailing list problem, > > among others. DMARCbis has failed to integrate RFC7489 with RFC 7960, > > because it provides no discussion of the circumstances where an evaluator > > should override the DMARC result. I believe DMARCbis needs a discussion > > about the appropriate scope and characteristics of local policy. > > I disagree with your premise, and I submit that it is not the role of the > IETF, DMARCbis, or any third party to determine either characteristics or > appropriate scope for a policy that is local to a Mail Receiver. > > A Mail Receiver's goal is to make sure that its mailbox holders receive > wanted mail while minimizing the amount of unwanted mail that's accepted, > and how they work to achieve that goal is solely their purview. > > DMARC authentication results can and probably do inform their work, but > they're just one piece of data for doing so. Their work will also be > informed by many other data points, some of which we know (historical > mailbox holder engagement with a given mail stream) and some of which we > don't know, and they adjust their handling decisions all the time based on > whatever signals they deem important. > > I believe that this paragraph in the Introduction section of DMARCbis > concisely describes DMARC to Mail Receivers: > > A DMARC pass indicates only that the RFC5322.From domain has been > authenticated for that message. Authentication does not carry an explicit > or implicit value assertion about that message or about the Domain Owner. > Furthermore, a mail-receiving organization that performs DMARC verification > can choose to honor the Domain Owner's requested message handling for > authentication failures, but it is not required to do so; it might choose > different actions entirely. > > > I further believe that the description of the 'p' tag and of its possible > values of 'none', 'quarantine', and 'reject' in section 5.3, General Record > Format, are enough to help the Mail Receiver understand how reliable the > Domain Owner believes its authentication practices to be and, along with > everything else the Mail Receiver knows about the sending domain, the > source of the mail stream, etc., etc., how much weight can be assigned to a > failed DMARC authentication result for that domain.
I agree. Let's move on. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
