We can complain about people treating SPF Fail as definitive, but DMARC perpetuates the very same myth, which is:
“If Sender Authentication test X produces FAIL, then the message is malicious and should be blocked.” It does not matter whether "X" is SPF Fail, DKIM Fail, ADSP Fail, DMARC Fail, or DMARC Fail with Reject. The proposition is at best a probability statement. Anyone who treats it as absolute will make significant disposition mistakes. In DMARC Land, we call that the "Mailing List Problem", even though the problem is not limited to mailing lists. In an attempt to save the myth, we keep narrowing scope, which guides people to ignore a lot of malicious activity. Then to make things worse, we guide people to respond incorrectly when malicious activity is actually detected. We need to abandon the myth. Doug Foster On Sat, Apr 6, 2024 at 4:40 PM John Levine <[email protected]> wrote: > It appears that Scott Kitterman <[email protected]> said: > >I hear you. Your operational issue is my system working as designed. > DMARC > >works on top of SPF, it doesn't change it. > > > >Anything like this belongs in an operational guidance document, not in > the > >protocol description. I have no problem describing the trade offs in an > >appropriate document, but I don't think this is it. > > I agree. "Don't do stupid stuff" goes in an A/S, not in the spec. > > I entirely believe people are confused about SPF, but they're confused > about everything. A few days ago on the generally clueful NANOG list > we had to explain to someone that rejecting mail if DKIM signatures > don't verify is not a good idea. > > R's, > John > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
