[dmarc-discuss] Co-ordinating recipient policy?

Murray S. Kucherawy msk at cloudmark.com
Tue Jan 31 16:53:11 PST 2012 

> -----Original Message-----
> From: dmarc-discuss-bounces at blackops.org [mailto:dmarc-discuss-bounces at blackops.org] On Behalf Of David Woodhouse
> Sent: Tuesday, January 31, 2012 4:45 PM
> To: Michael Adkins
> Cc: dmarc-discuss at dmarc.org
> Subject: Re: [dmarc-discuss] Co-ordinating recipient policy?
> 
> >  I'm not sure why someone would proceed directly to publishing a
> > record that requests 100% rejection without reviewing any of their
> > reports first, especially if they haven't implemented DKIM signing.
> 
> People *do* already publish IP-based SPF records ending in '-all'. I
> find it strange, but it's true. And for those people it seems like a
> no-brainer to immediately proceed to a DMARC record with 100%
> rejection, since that's what their SPF record was already asking for.
> Even without deploying DKIM. These people were *already* burying their
> heads in the sand and asking recipients to reject perfectly valid mail.
> Why would they stop now?

Accordingly, I don't see how DMARC does any additional harm.  Their mail will already be rejected by SPF; what additional damage does DMARC do here?

> > Section 10 lays out the recommended procedure for deploying a DMARC
> > for outbound mail.  I'm not sure what else we can do to prevent an
> > administrator from making poor decisions.
> 
> There's little you can do to prevent an administrator from making poor
> decisions (like publishing SPF records with -all, asking the world to
> reject perfectly valid forwarded messages).
> 
> What you *can* do is offer a way for those who *haven't* made poor
> decisions to advertise that fact, so that clueful recipients will
> actually *honour* their requested policies.

Why do you believe that negligent administrators won't just throw that "Yes, I know what I'm doing" switch from the start?

> Fred needs to know the difference between the senders I presented in my
> examples:
> 
>  - The complete idiot who just publishes a DMARC record to complement
>    their existing SPF record, and doesn't use DKIM at all.
> 
>  - The misguided person who hasn't quite finished rolling out DKIM
>    signing to all their output, but thinks that an SPF record will
>    'validate' the unsigned mails and prevent loss.
> 
>  - The saner person who *does* DKIM-sign all outbound mail. But who
>    happens to have an SPF record (perhaps ending with ?all) too; perhaps
>    because some misguided large provider forced them into it.

You are relying on the senders to classify themselves.  I submit that this is a losing proposition.  The best Fred could do is vet them manually and adjust his own local policies accordingly.

-MSK

More information about the dmarc-discuss mailing list