On Tue, Nov 19, 2024 at 9:56 AM John Levine <[email protected]> wrote:
> It appears that Todd Herr <[email protected]> said: > >-=-=-=-=-=- > > > >On Tue, Nov 19, 2024 at 7:15 AM Douglas Foster < > >[email protected]> wrote: > > > >> If the WG refuses to talk about the credential upgrade problem, then the > >> problem does not exist? > >> > >> And if the problem does not exist, then the WG document does not need to > >> mention it, right? > >> > >> > >I don't think there's anything for DMARCbis to say about the problem. > > Agreed. DMARC is not the FUSSP, and there is an unlimited set of problems > that may > exist but are irrelvant to DMARC. > > This document should have been done a year ago. I don't think there are > any issues > that remain to be addressed so we should ship it. > > R's, > John > I agree with Todd and John. Trying to address poor operational and security practices on the part of domain owners/administrators cannot be addressed by DMARC. If a domain is compromised and a malicious actor starts sending emails from that domain is there anything DMARC can do about it? Absolutely not. Should DMARC discuss every possible form of abuse? Absolutely not. Sending domains with these sorts of operational/security issues will likely find themselves on blocklists or otherwise have their mail rejected. About the best that can be done is a simple statement under security considerations that a sending domain may have security and/or operational issues that allow malicious email to be sent through it's systems or on its behalf. I think the reason Douglas is being met with general silence is that despite the past responses from working group participants, he insists on repeatedly raising the same issue(s) over and over again. I wish the Chairs would start ruling certain issues as out of scope so we can deal with any remaining issues that are in scope. As John points out, DMARC is not the FUSSP. I am now returning to silence on this topic. Michael Hammer
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
