On Jun 7, 2014, at 9:49 PM, Christian Laußat <us...@spamassassin.shambhu.info> wrote:
> Am 07.06.2014 19:55, schrieb Franck Martin: >> As DMARC provide a feedback mechanism to the sender, then it is up to >> the sender to deal with these issues, you are just following their >> policy, you don’t need to or have to to second guess them. You can use >> some whitelists in openDMARC for some streams you really care about, >> like mailing lists. There are usually not too many. >> The default option of openDMARC is to not reject, as to avoid if you >> forgot opendkim or spf, and start to reject all the incoming mail… >> Once you are happy with the config, you ought to change that option. > > The problem is that the sender is not the postmaster, so if e.g. yahoo.com > had changed its policy to p=reject, many sender had been blocked without even > knowing why. There are many postmaster who think they understood DMARC and > set a wrong policy. For human interaction DMARC policy should be p=none. And > p=reject should only be used for automatic mailing systems e.g. shopping > systems and banks. This is not correct. I think it is strange to claim that yahoo or aol, being a co-creator of DMARC and having outstanding engineers in the profession do not know what they are doing. > > So it's your decision if you would risk to loose some e-mail, but for me it > is a just another indicator for SpamAssassin to rate the mail. Because of the monitoring mode, when you move to p=reject, with all the aggregate reports, you know exactly how much mail you will loose. As you take control of your email streams it becomes a sweet point where fixing exact domain spoofing is more interesting than losing some emails. Your mileage may vary. > > If you let OpenDMARC block on policy failures, why don't you let OpenDKIM > block on DKIM failures and SPF-milter on SPF failures? Blocking on only one > criteria leads to many false positives. That's the power of SpamAssasin, to > combine many rating points and then decide if it*s spam or not. > DKIM and SPF do not have a reporting to the sender to tell them how many emails were blocked/rejected. DKIM does not have a policy method, only SPF. So as a sender with SPF -all you have no idea how many emails are blocked, very few are willing to take that risk. With DMARC, you know exactly which emails are getting blocked/rejected.
signature.asc
Description: Message signed with OpenPGP using GPGMail