On Thu, Oct 24, 2024 at 4:34 AM Douglas Foster < [email protected]> wrote:
> The necessary first step is to acknowledge that RFC7489 is a heuristic, > and like all heuristics, it will make mistakes. So the interesting work > is determining how to detect and correct mistakes. > Please explain how Section 7.4 falls short of this "necessary" step. I agree that it would be nice for DMARCbis to admit these weaknesses while also presenting comprehensive mitigations, but the latter is not always both possible and standards-worthy. It's perplexing that you make these proclamations in the presence of contrary evidence and repeated explanations. >From a security standpoint, authentication is a binary Pass/Fail issue. > There are not 4 types of failure. Because any unauthenticated message > MIGHT be a malicious impersonation, the most secure response to an > unauthenticated message is quarantine. But you cannot do that early in > the rollout process because you will be overwhelmed by the quarantine > volume. So you triage, and let some unauthenticated messages through > sender authentication and hope that content filtering catches the worst > stuff. But if you do things right, the quarantine volume shrinks steadily. > In my view, you've basically restated Section 7.4 here. > You cannot afford to investigate the same quarantine issue over and over > again. So every quarantine investigation needs to lead to an allow/block > decision, and the result of an allow decision is to provide alternate > authentication in local policy. (Alternate authentication does not mean > whitelisting to bypass content filtering.) > This is operational advice. I would argue we don't need to spell this out because it's out of scope of the protocol itself, but if the WG decides to add text of this sort either here or in a best practices document, that's fine. I asked before and never got an answer: Do you have a draft available that collects all of this advice and mitigations? Or are you expecting the WG to do this on its own? I don't want to step into the chairs' domain, but I think we're long past the point of changing the entire scope of this document to incorporate best practices material of the volume and breadth you're espousing. -MSK
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
