[dmarc-discuss] Co-ordinating recipient policy?
Murray S. Kucherawy
msk at cloudmark.com
Tue Jan 31 16:53:11 PST 2012
> -----Original Message-----
> From: dmarc-discuss-bounces at blackops.org [mailto:dmarc-discuss-bounces at blackops.org] On Behalf Of David Woodhouse
> Sent: Tuesday, January 31, 2012 4:45 PM
> To: Michael Adkins
> Cc: dmarc-discuss at dmarc.org
> Subject: Re: [dmarc-discuss] Co-ordinating recipient policy?
> > I'm not sure why someone would proceed directly to publishing a
> > record that requests 100% rejection without reviewing any of their
> > reports first, especially if they haven't implemented DKIM signing.
> People *do* already publish IP-based SPF records ending in '-all'. I
> find it strange, but it's true. And for those people it seems like a
> no-brainer to immediately proceed to a DMARC record with 100%
> rejection, since that's what their SPF record was already asking for.
> Even without deploying DKIM. These people were *already* burying their
> heads in the sand and asking recipients to reject perfectly valid mail.
> Why would they stop now?
Accordingly, I don't see how DMARC does any additional harm. Their mail will already be rejected by SPF; what additional damage does DMARC do here?
> > Section 10 lays out the recommended procedure for deploying a DMARC
> > for outbound mail. I'm not sure what else we can do to prevent an
> > administrator from making poor decisions.
> There's little you can do to prevent an administrator from making poor
> decisions (like publishing SPF records with -all, asking the world to
> reject perfectly valid forwarded messages).
> What you *can* do is offer a way for those who *haven't* made poor
> decisions to advertise that fact, so that clueful recipients will
> actually *honour* their requested policies.
Why do you believe that negligent administrators won't just throw that "Yes, I know what I'm doing" switch from the start?
> Fred needs to know the difference between the senders I presented in my
> - The complete idiot who just publishes a DMARC record to complement
> their existing SPF record, and doesn't use DKIM at all.
> - The misguided person who hasn't quite finished rolling out DKIM
> signing to all their output, but thinks that an SPF record will
> 'validate' the unsigned mails and prevent loss.
> - The saner person who *does* DKIM-sign all outbound mail. But who
> happens to have an SPF record (perhaps ending with ?all) too; perhaps
> because some misguided large provider forced them into it.
You are relying on the senders to classify themselves. I submit that this is a losing proposition. The best Fred could do is vet them manually and adjust his own local policies accordingly.
More information about the dmarc-discuss