On 4/20/2014 2:25 PM, Douglas Otis wrote:
That said, DMARC was never intended to address needs beyond the
narrow scope of high value transactional email.
And unfortunately, this attitude was always wrong. Hate to say, but "I
told you so." What the design attitude says is this:
If the domain is high value, then only applied policy.
For all others, ignore it.
Well, is is "high value?" How do you distinguish "value" in an
anonymous world? Must everyone have a profile in some Good Reputation
Databases? Fee based? Even if we want this, we are not there yet!!
The seed to all this author domain brush back was born in the
unfortunate RFC5016 DKIM Signing Practice requirements document last
minute addition of item 10 in section 5.3 where it strongly mandates
that a 1st party policy MUST NOT override the 3rd party policy.
RFC 5016, Section 5.3
10. SSP MUST NOT provide a mechanism that impugns the existence of
non-first party signatures in a message. A corollary of this
requirement is that the protocol MUST NOT link practices of first
party signers with the practices of third party signers.
INFORMATIVE NOTE: the main thrust of this requirement is that
practices should only be published for that which the publisher
has control, and should not meddle in what is ultimately the
local policy of the receiver.
Refs: Deployment Consideration, Section 4.3.
Just replace the term SSP for DMARC and you have the same thing. This
is where all the resistance towards author domain policies began with
this written stone functional requirement. This attitude is still
among us. Not saying its completely wrong, but it certainly not right
either. Yahoo proved it for us.
The irony?
Rather than try to honor policy to keep the security high, we are
looking for ways to circumvent it. Ignoring Policy no longer works.
--
HLS