Al, you misunderstand my priorities, so let me put them to rest. #1 - There is no protocol that can ever say whether accepting a message with unverified identity is a good idea, and I was not proposing one. It is all about judgement. My problem with DMARC is that it encourages bad judgement.
#2 - I filter email to meet the needs of my management and my co-workers. I live daily with the knowledge that one inappropriately allowed email could be the trigger that puts myself and my coworkers out of jobs, while our customers would lose our services and our landlords would lose our rent payments. My fear is much greater than the fear represented by your disposition policy. My disposition decisions are made based on careful judgement. The unfortunate reality is that everybody accepts some email whose authorship is not verified by DMARC. One reason for this is the indefensible notion that DMARC can only be computed if a DMARC policy has been published. But that error is aggravated by the notion that p=none is equivalent to No Policy. Fortunately, most messages are not impersonations, and that reduces the perceived risk of ignoring authentication problems, which only makes us more vulnerable to the fraud that does occur. Ask your inbound email filtering group what percentage of your inbound email is authenticated, what techniques they use to determine authentication, and what is to be done about everything that is accepted without authentication. I don't think you will like the answer, because every email that is accepted without authentication is a possible impersonation fraud. The problem is actually worse than authorship fraud. Defenses against Friendly Name fraud are needed, but they are meaningless if the From address is fraudulent. Content filtering is ultimately author-dependent, because the acceptability of a message is contingent on what is known about the author. So failure to authenticate enables a cascade of other risks. Restating my case: - Non-agency mail should only be allowed if it is authenticated by algorithm or local policy. This is a much stronger position than anything posited by DMARC. - Agency mail should be evaluated with an explicit consideration of the trust to be given to the agent, because the agency process will hide valuable information which cannot always be retrieved. Of the four or five strategies I outlined for dealing with agency messages, I believe all are in use in my configuration. The most ridiculous security policy is to accept 99 unauthenticated messages from a mailing list and then block the 100th message only because it comes from Yahoo with a DMARC disposition policy of p=none. Yet that appears to be standard operating procedure in most organizations because most organizations think that DMARC is the solution to their problems Doug On Sat, Nov 15, 2025 at 11:39 AM Al Iverson <aiverson= [email protected]> wrote: > > On Fri, Nov 14, 2025 at 5:57 PM Douglas Foster < > [email protected]> wrote: > >> > >> Now that the documents are complete, some feedback: > >> > >> DMARC is designed to protect domain owners and their brands from > impersonation. It does not attempt to solve the Recipient's problem, > which is to detect and block all impersonation. RFC 7960 documents some > of the problems that have occurred because this difference has not been > well understood. > >> > >> When authentication results are matched to an omniscient viewpoint, we > observe four possible outcomes: > >> > >> Correct authorship and Verified result > >> Correct authorship with Unverified result > >> Fraudulent authorship with Unverified result > >> Fraudulent authorship with Verified result > >> > >> DMARC detects the first case. The fourth case is rare and will be > ignored for the purposes of this document. The middle two cases represent > the core weakness of DMARC, because DMARC cannot distinguish between these > two outcomes. > > I don't agree with the potential focus areas. If I get my config > right, message authorship is verifiable. If I misconfigure things > while sending and end up with outcome number two, I don't want a third > party or some mechanism I do not control to determine that it's valid > regardless. Too risky. I can't stop somebody from running their > inbound mail gateway that way today, but if I intentionally chose an > "aggressive" stance with p=reject, I've stated my intent clearly. I am > not convinced that I would ever want to formalize the opportunity for > a larger grey area. > > Cheers, > Al Iverson > > -- > > Al Iverson // 312-725-0130 // Chicago > http://www.spamresource.com // Deliverability > http://www.aliverson.com // All about me > https://xnnd.com/calendar // Book my calendar > > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
