> On Fri, Nov 14, 2025 at 5:57 PM Douglas Foster > <[email protected]> wrote: >> >> Now that the documents are complete, some feedback: >> >> DMARC is designed to protect domain owners and their brands from >> impersonation. It does not attempt to solve the Recipient's problem, which >> is to detect and block all impersonation. RFC 7960 documents some of the >> problems that have occurred because this difference has not been well >> understood. >> >> When authentication results are matched to an omniscient viewpoint, we >> observe four possible outcomes: >> >> Correct authorship and Verified result >> Correct authorship with Unverified result >> Fraudulent authorship with Unverified result >> Fraudulent authorship with Verified result >> >> DMARC detects the first case. The fourth case is rare and will be ignored >> for the purposes of this document. The middle two cases represent the core >> weakness of DMARC, because DMARC cannot distinguish between these two >> outcomes.
I don't agree with the potential focus areas. If I get my config right, message authorship is verifiable. If I misconfigure things while sending and end up with outcome number two, I don't want a third party or some mechanism I do not control to determine that it's valid regardless. Too risky. I can't stop somebody from running their inbound mail gateway that way today, but if I intentionally chose an "aggressive" stance with p=reject, I've stated my intent clearly. I am not convinced that I would ever want to formalize the opportunity for a larger grey area. Cheers, Al Iverson -- Al Iverson // 312-725-0130 // Chicago http://www.spamresource.com // Deliverability http://www.aliverson.com // All about me https://xnnd.com/calendar // Book my calendar _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
